CVE-2025-9216 - Vulnerability Details

- StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Upload

Description

The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Published: 2025-09-17

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The StoreEngine eCommerce plugin for WordPress suffers from a lack of file type validation in the import() function. This flaw allows authenticated users with at least Subscriber-level access to upload any file, which can lead to remote code execution if attackers place executable or script files in a web‑accessible directory. This weakness is a CWE‑434 Unvalidated File Type or Extension.

Affected Systems

WordPress sites running the StoreEngine plugin from kodezen, any released version up to and including 1.5.0.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% points to a low probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. Attackers need only valid subscriber credentials and can trigger the vulnerable import() routine to place arbitrary files on the server, potentially enabling remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kodezen

StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.5.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update StoreEngine to a version newer than 1.5.0.
If an update is unavailable, disable the import feature or restrict it to trusted administrators only.
Implement server‑side file type validation to reject non‑image files before they are stored.

Generated by OpenCVE AI on April 21, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-29693	The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00578.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/d0n601/CVE-2025-9216
https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/import.php#L52
https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/import.php
https://ryankozak.com/posts/cve-2025-9216/
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f8cc393-4d6f-4d15-ad95-d4a89dfe433c?source=cve

History

Wed, 17 Sep 2025 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 17 Sep 2025 06:45:00 +0000

Type	Values Removed	Values Added
Description		The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title		StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses		CWE-434
References		https://github.com/d0n601/CVE-2025-9216 https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/import.php#L52 https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/import.php https://ryankozak.com/posts/cve-2025-9216/ https://www.wordfence.com/threat-intel/vulnerabilities/id/7f8cc393-4d6f-4d15-ad95-d4a89dfe433c?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-09-17T06:17:48.502Z

Updated: 2026-04-08T17:03:23.505Z

Reserved: 2025-08-19T20:08:21.967Z

Link: CVE-2025-9216

Vulnrichment

Updated: 2025-09-17T12:53:24.732Z

NVD

Status : Deferred

Published: 2025-09-17T07:15:42.477

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9216

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object