CVE-2025-48148

StoreKeeper B.V. · StoreKeeper for WooCommerce

An unrestricted file upload vulnerability in StoreKeeper for WooCommerce allows attackers to upload malicious files, potentially leading to remote code execution.

Executive summary

An unrestricted file upload vulnerability in StoreKeeper for WooCommerce exposes the system to remote code execution by allowing the upload of malicious files.

Vulnerability

The software suffers from an unrestricted file upload vulnerability, allowing an unauthenticated or low-privileged attacker to upload arbitrary files to the server. If these files are executable, the attacker can achieve remote code execution.

Business impact

With a CVSS score of 10, this vulnerability represents the maximum level of risk. Successful exploitation grants an attacker the ability to bypass file type restrictions, execute malicious code, and gain full control over the web application and its underlying server environment.

Remediation

Immediate Action: Update StoreKeeper for WooCommerce to the latest version immediately to ensure file upload validation mechanisms are correctly implemented.

Proactive Monitoring: Monitor the web server’s upload directories for the presence of unauthorized executable files or scripts.

Compensating Controls: Implement strict file extension filtering and directory execution restrictions (e.g., disabling script execution in upload folders) at the web server level.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

The severity of this vulnerability necessitates immediate attention. Organizations must restrict file upload functionality and update the software to the latest version to prevent attackers from establishing persistence or executing arbitrary commands on the server.