CVE-2025-9216
📋 TL;DR
The StoreEngine WordPress plugin up to version 1.5.0 has an arbitrary file upload vulnerability in its import function. Authenticated attackers with Subscriber-level access or higher can upload malicious files, potentially leading to remote code execution. This affects all WordPress sites using vulnerable versions of the StoreEngine plugin.
💻 Affected Systems
- StoreEngine WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to internal networks.
Likely Case
Website defacement, data theft, or installation of cryptocurrency miners or malware on the server.
If Mitigated
Limited impact if file uploads are restricted at web server level or if proper file type validation is implemented elsewhere.
🎯 Exploit Status
Exploit requires authenticated access but only at Subscriber level, which is easy to obtain. Multiple public references and proof-of-concept code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/import.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find StoreEngine plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.5.1+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable StoreEngine Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate storeengine
Restrict File Uploads via .htaccess
linuxBlock PHP and other executable file uploads to plugin directories
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php8|cgi|pl|asp|aspx|jsp|sh)">\n Order Allow,Deny\n Deny from all\n</FilesMatch>
🧯 If You Can't Patch
- Remove Subscriber role access to plugin functionality via custom code or role management plugins
- Implement web application firewall rules to block suspicious file uploads to /wp-content/plugins/storeengine/ paths
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for StoreEngine version. If version is 1.5.0 or lower, you are vulnerable.Check Version:
wp plugin get storeengine --field=versionVerify Fix Applied:
After update, verify StoreEngine plugin version shows 1.5.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/plugins/storeengine/addons/csv/ajax/import.php
- POST requests to import.php with file uploads from non-admin users
- Execution of unexpected PHP files in plugin directories
Network Indicators:
- HTTP POST requests to import.php endpoint from unexpected sources
- Upload of files with double extensions (.php.jpg, .php.png)
SIEM Query:
source="web_server" AND (url="*import.php*" AND method="POST" AND user_agent NOT IN ("admin_user_agents") AND file_upload="true")🔗 References
- https://github.com/d0n601/CVE-2025-9216
- https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/import.php#L52
- https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/import.php
- https://ryankozak.com/posts/cve-2025-9216/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7f8cc393-4d6f-4d15-ad95-d4a89dfe433c?source=cve
