A high-severity vulnerability has been identified in the StoreEngine WordPress plugin, which could allow an unauthenticated attacker to take complete control of an affected website. The flaw stems from the plugin's failure to properly check the types of files being uploaded, enabling an attacker to upload and execute malicious code. This could lead to data theft, website defacement, or further attacks originating from the compromised server.

The vulnerability exists within the import() function of the StoreEngine plugin. This function lacks proper validation to ensure that uploaded files are of an expected and safe type (e.g., CSV, XML). An attacker can exploit this by crafting a request to the import functionality and uploading a malicious script, such as a PHP web shell, disguised as a legitimate import file. Once the malicious file is on the server, the attacker can navigate to its location and execute it, gaining the ability to run arbitrary commands on the underlying web server with the permissions of the web server's user account.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation would grant an attacker complete control over the affected WordPress site, leading to severe business consequences. Potential impacts include the theft of sensitive data such as customer personal information and payment details, reputational damage from website defacement, financial loss from fraudulent activities, and the use of the compromised server to attack other systems or host malware. This poses a significant risk to data integrity, confidentiality, and business continuity.

Immediate Action: Immediately update the "StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More" plugin to the latest patched version provided by the vendor. If the plugin is no longer required for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the plugin's import endpoint, particularly those involving file uploads with unexpected extensions (e.g., .php, .phtml, .sh). Implement file integrity monitoring to detect the creation of new, unauthorized files in web-accessible directories, especially the WordPress uploads folder. Monitor for unusual outbound network traffic originating from the web server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to block the upload of executable file types. If the import feature of the plugin is not in use, consider disabling it through configuration or server-side rules. Additionally, ensure file permissions on the web server are hardened to prevent the execution of scripts in directories where file uploads are permitted.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the critical impact of remote code execution, immediate remediation is strongly recommended. Organizations using the affected StoreEngine plugin should prioritize applying the vendor-supplied patch without delay. Although this CVE is not currently on the CISA KEV list, its severity and the ease of exploitation make it a prime candidate for future inclusion and widespread attacks. Treat this vulnerability as an active and critical threat to your web infrastructure.