Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More by kodezen
CVE-2025-9216 (GCVE-0-2025-9216)
Vulnerability from nvd – Published: 2025-09-17 06:17 – Updated: 2026-04-08 17:03
VLAI?
Title
StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Upload
Summary
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity ?
8.8 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kodezen | StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More |
Affected:
0 , ≤ 1.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9216",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T12:53:18.549617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T12:53:28.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StoreEngine \u2014 Complete eCommerce Solution with Memberships, Licensing, Affiliates \u0026 More",
"vendor": "kodezen",
"versions": [
{
"lessThanOrEqual": "1.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan Kozak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The StoreEngine \u2013 Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:03:23.505Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f8cc393-4d6f-4d15-ad95-d4a89dfe433c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/import.php#L52"
},
{
"url": "https://github.com/d0n601/CVE-2025-9216"
},
{
"url": "https://ryankozak.com/posts/cve-2025-9216/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/import.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-07T19:24:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "StoreEngine \u2013 Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More \u003c= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9216",
"datePublished": "2025-09-17T06:17:48.502Z",
"dateReserved": "2025-08-19T20:08:21.967Z",
"dateUpdated": "2026-04-08T17:03:23.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9215 (GCVE-0-2025-9215)
Vulnerability from nvd – Published: 2025-09-17 06:17 – Updated: 2026-04-08 16:34
VLAI?
Title
StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Download
Summary
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kodezen | StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More |
Affected:
0 , ≤ 1.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T12:51:40.073150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T12:51:48.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StoreEngine \u2014 Complete eCommerce Solution with Memberships, Licensing, Affiliates \u0026 More",
"vendor": "kodezen",
"versions": [
{
"lessThanOrEqual": "1.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan Kozak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The StoreEngine \u2013 Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:03.186Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b1dc05-1340-4ea3-9315-3e1ca4a0cb7f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/export.php#L47"
},
{
"url": "https://github.com/d0n601/CVE-2025-9215"
},
{
"url": "https://ryankozak.com/posts/cve-2025-9215/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/export.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-07T19:24:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "StoreEngine \u2013 Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More \u003c= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Download"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9215",
"datePublished": "2025-09-17T06:17:47.572Z",
"dateReserved": "2025-08-19T20:03:22.388Z",
"dateUpdated": "2026-04-08T16:34:03.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9216 (GCVE-0-2025-9216)
Vulnerability from cvelistv5 – Published: 2025-09-17 06:17 – Updated: 2026-04-08 17:03
VLAI?
Title
StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Upload
Summary
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity ?
8.8 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kodezen | StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More |
Affected:
0 , ≤ 1.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9216",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T12:53:18.549617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T12:53:28.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StoreEngine \u2014 Complete eCommerce Solution with Memberships, Licensing, Affiliates \u0026 More",
"vendor": "kodezen",
"versions": [
{
"lessThanOrEqual": "1.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan Kozak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The StoreEngine \u2013 Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:03:23.505Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f8cc393-4d6f-4d15-ad95-d4a89dfe433c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/import.php#L52"
},
{
"url": "https://github.com/d0n601/CVE-2025-9216"
},
{
"url": "https://ryankozak.com/posts/cve-2025-9216/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/import.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-07T19:24:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "StoreEngine \u2013 Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More \u003c= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9216",
"datePublished": "2025-09-17T06:17:48.502Z",
"dateReserved": "2025-08-19T20:08:21.967Z",
"dateUpdated": "2026-04-08T17:03:23.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9215 (GCVE-0-2025-9215)
Vulnerability from cvelistv5 – Published: 2025-09-17 06:17 – Updated: 2026-04-08 16:34
VLAI?
Title
StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Download
Summary
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kodezen | StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More |
Affected:
0 , ≤ 1.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T12:51:40.073150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T12:51:48.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StoreEngine \u2014 Complete eCommerce Solution with Memberships, Licensing, Affiliates \u0026 More",
"vendor": "kodezen",
"versions": [
{
"lessThanOrEqual": "1.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan Kozak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The StoreEngine \u2013 Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:03.186Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b1dc05-1340-4ea3-9315-3e1ca4a0cb7f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/export.php#L47"
},
{
"url": "https://github.com/d0n601/CVE-2025-9215"
},
{
"url": "https://ryankozak.com/posts/cve-2025-9215/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/export.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-07T19:24:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "StoreEngine \u2013 Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales \u0026 More \u003c= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Download"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9215",
"datePublished": "2025-09-17T06:17:47.572Z",
"dateReserved": "2025-08-19T20:03:22.388Z",
"dateUpdated": "2026-04-08T16:34:03.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}