CVE-2025-9215 is a path traversal vulnerability (CWE-22) found in the StoreEngine WordPress plugin developed by kodezen, which is used for eCommerce functionalities including payments, memberships, affiliates, and sales. The vulnerability affects all versions up to and including 1.5.0. It arises from improper validation and limitation of file paths in the file_download() function, allowing an authenticated user with at least Subscriber-level privileges to manipulate the file path parameter to access arbitrary files on the server. This can lead to unauthorized disclosure of sensitive information stored on the server, such as configuration files, database credentials, or other private data. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is significant because WordPress is widely used, and eCommerce plugins often handle sensitive customer and payment data, increasing the risk if exploited.

For European organizations, this vulnerability poses a risk of sensitive data exposure, including customer personal information, payment details, and internal configuration files. Such data breaches can lead to regulatory non-compliance under GDPR, resulting in heavy fines and reputational damage. The ability for low-privilege authenticated users to access arbitrary files increases the attack surface, especially in environments where subscriber or low-level accounts are easily created or compromised. This could facilitate further attacks such as privilege escalation or lateral movement within the network. The exposure of payment-related data is particularly critical for eCommerce businesses, potentially leading to financial fraud or identity theft. Additionally, the breach of internal files could reveal credentials or system details that attackers can leverage for more extensive intrusions. The medium severity score indicates a significant but not immediately catastrophic risk, emphasizing the need for timely mitigation to prevent exploitation.

European organizations using the StoreEngine plugin should immediately audit their WordPress installations to identify affected versions (up to 1.5.0). Until an official patch is released, they should implement strict access controls to limit Subscriber-level account creation and monitor for suspicious file access patterns. Employing Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the file_download() function can reduce risk. Additionally, organizations should review and harden file permissions on the server to restrict access to sensitive files, ensuring that the web server user has minimal privileges. Regularly scanning logs for anomalous access to files outside expected directories can help detect exploitation attempts early. Organizations should also prepare to apply patches promptly once available and consider isolating the WordPress environment or using containerization to limit potential damage. Finally, educating users about the risks of account compromise and enforcing strong authentication mechanisms can reduce the likelihood of attacker footholds.