CVE-2025-9216: CWE-434 Unrestricted Upload of File with Dangerous Type in kodezen StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
AI Analysis
Technical Summary
The StoreEngine WordPress plugin suffers from CWE-434: Unrestricted Upload of File with Dangerous Type. The vulnerability arises from the import() function lacking proper file type validation, enabling authenticated users with low privileges (Subscriber and above) to upload arbitrary files. This can potentially allow attackers to execute remote code on the server hosting the plugin. The issue affects all versions up to 1.5.0. No known exploits are reported in the wild as of the publication date. No patch or official fix has been documented yet.
Potential Impact
Successful exploitation allows an authenticated user with minimal privileges to upload arbitrary files, which may lead to remote code execution. This compromises the confidentiality, integrity, and availability of the affected system. Given the plugin's role in eCommerce and membership management, exploitation could result in significant business disruption and data compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict user roles that have upload capabilities, monitor for suspicious file uploads, and consider disabling the import functionality if feasible. Avoid granting Subscriber-level or higher access to untrusted users.
CVE-2025-9216: CWE-434 Unrestricted Upload of File with Dangerous Type in kodezen StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More
Description
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The StoreEngine WordPress plugin suffers from CWE-434: Unrestricted Upload of File with Dangerous Type. The vulnerability arises from the import() function lacking proper file type validation, enabling authenticated users with low privileges (Subscriber and above) to upload arbitrary files. This can potentially allow attackers to execute remote code on the server hosting the plugin. The issue affects all versions up to 1.5.0. No known exploits are reported in the wild as of the publication date. No patch or official fix has been documented yet.
Potential Impact
Successful exploitation allows an authenticated user with minimal privileges to upload arbitrary files, which may lead to remote code execution. This compromises the confidentiality, integrity, and availability of the affected system. Given the plugin's role in eCommerce and membership management, exploitation could result in significant business disruption and data compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict user roles that have upload capabilities, monitor for suspicious file uploads, and consider disabling the import functionality if feasible. Avoid granting Subscriber-level or higher access to untrusted users.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-08-19T20:08:21.967Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68cab09db62c8e2e63b24695
Added to database: 9/17/2025, 12:59:09 PM
Last enriched: 4/9/2026, 6:10:28 PM
Last updated: 5/10/2026, 4:42:41 AM
Views: 171
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.