CVE-2025-9215
Description
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users with Subscriber-level access can read arbitrary files on the server via a path traversal vulnerability in the StoreEngine WordPress plugin's CSV Import/Export feature.
Vulnerability
Overview
The StoreEngine WordPress plugin (versions up to and including 1.5.0) contains a path traversal vulnerability in its CSV Import/Export feature. The file_download() function in the storeengine_csv/file_download endpoint lacks proper path sanitization, allowing an attacker to traverse directories and read arbitrary files. The endpoint only relies on a nonce (storeengine_nonce) for security, but this nonce is exposed to all frontend users through the plugin's JavaScript, making it accessible to any authenticated user [1][2].
Exploitation
To exploit this vulnerability, an attacker must be authenticated with at least Subscriber-level access. Additionally, the CSV Import/Export addon must be enabled by an administrator (requires manage_options capability). Once these conditions are met, the attacker can extract the nonce from frontend pages and send a crafted request to download any file on the server, such as wp-config.php, which contains database credentials and other sensitive information [1][2].
Impact
Successful exploitation allows an authenticated attacker to read arbitrary files on the server, including WordPress configuration files, plugin source code, and other sensitive system files. This can lead to full disclosure of credentials, API keys, and other secrets, potentially enabling further compromise of the WordPress site and its underlying infrastructure [1][2].
Mitigation
The vulnerability has been patched in version 1.5.1 of the StoreEngine plugin. Users are strongly advised to update to the latest version immediately. If updating is not possible, administrators should disable the CSV Import/Export addon to prevent exploitation [1][2].
- "StoreEngine Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More \u003c= 1.4.0 - Authenticated (Subscriber+) Arbitrary File Download"
- GitHub - d0n601/CVE-2025-9215: StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.4.0 - Authenticated (Subscriber+) Arbitrary File Download
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/export.phpnvd
- plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/export.phpnvd
- ryankozak.com/posts/cve-2025-9215/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/07b1dc05-1340-4ea3-9315-3e1ca4a0cb7fnvd
News mentions
0No linked articles in our index yet.