CVE Alert: CVE-2025-9216 – kodezen – StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More

Risk verdict

High risk: authenticated Subscriber+ users can upload arbitrary files, with potential remote code execution on affected sites.

Why this matters

For WordPress stores using this plugin, an attacker could gain control over the web server and access customer data, payment details, or the site from which to pivot to other services. The absence of user interaction and the high impact of code execution make this a serious business risk, especially where hosting and security controls are inconsistent.

Most likely attack path

attacker must have Subscriber-level access, then exploits unauthenticated file-type validation in the import endpoint to upload a dangerous file; no user interaction required. If the file is executed by the web server, the attacker can run code, escalate access, and inhabit the server, with potential to pivot to databases or other connected services.

Who is most exposed

Sites deploying StoreEngine <= 1.5.0 on WordPress, particularly smaller or shared-hosting environments with weak upload controls and limited monitoring, are at greatest risk.

Detection ideas

• Spike in uploads to the importer endpoint (import.php) with executable extensions (PHP, PHP source, etc.).
• New files appearing in the uploads directory with suspicious names or MIME mismatches.
• Web shells or encoded payloads detected in newly uploaded files.
• Unusual authenticated user activity from Subscriber+ accounts initiating large file uploads.
• Anomalous web server writes or PHP execution attempts tied to the plugin path.

Mitigation and prioritisation

• Patch immediately: upgrade beyond 1.5.0 or remove the vulnerable upload path if a patch is unavailable.
• Enforce server-side validation of uploads; disallow executable types and enforce strict MIME/type checks.
• Restrict PHP execution in uploads directories; implement WAF rules to block risky file types and patterns.
• Enforce least-privilege for user roles; audit Subscriber+ accounts for abnormal activity.
• Change-management: test patch in staging, backup prior to production deployment, schedule a rapid patch window.
• If KEV is true or EPSS ≥ 0.5, treat as priority 1. Data here does not indicate KEV/EPSS.