CVE-2025-9216 Overview
CVE-2025-9216 affects the StoreEngine WordPress eCommerce plugin, which provides payments, memberships, affiliates, and sales functionality. The vulnerability stems from missing file type validation in the import() function within addons/csv/ajax/import.php. All versions up to and including 1.5.0 are affected. Authenticated users with Subscriber-level access or higher can upload arbitrary files to the server. Successful exploitation may lead to remote code execution (RCE) on affected WordPress sites. The vulnerability is classified as [CWE-434] Unrestricted Upload of File with Dangerous Type.
Critical Impact
Authenticated attackers holding only Subscriber-level access can upload arbitrary files, including PHP scripts, potentially leading to full server compromise through remote code execution.
Affected Products
- StoreEngine WordPress Plugin versions up to and including 1.5.0
- WordPress sites with the StoreEngine CSV import addon enabled
- Any WordPress deployment allowing Subscriber-level registrations with StoreEngine installed
Discovery Timeline
- 2025-09-17 - CVE-2025-9216 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9216
Vulnerability Analysis
The flaw resides in the CSV import addon shipped with StoreEngine. The import() handler in addons/csv/ajax/import.php processes uploaded files without validating the file type, extension, or MIME content. An authenticated user issues an AJAX request to the import endpoint and supplies a file of arbitrary type. The plugin writes the file to a location accessible on the web server. When the uploaded file is a PHP script placed within a web-accessible directory, an attacker can request it to execute arbitrary code under the web server's user context.
The attack requires only Subscriber-level privileges, which is the default role assigned to newly registered users on many WordPress sites. This lowers the exploitation barrier significantly compared to vulnerabilities requiring administrative access.
Root Cause
The root cause is the absence of file type validation logic in the import handler prior to writing user-supplied content to disk. The endpoint accepts CSV import requests but does not enforce that uploaded content is CSV data. Neither the file extension, MIME type, nor magic bytes are verified. Authorization checks also fail to restrict the endpoint to administrative roles.
Attack Vector
The attack is network-based and requires authentication. An attacker registers a Subscriber account or uses existing credentials, then submits a crafted multipart form upload to the CSV import AJAX endpoint. The payload contains a malicious PHP file. Once written to disk, the attacker requests the file through the web server to trigger execution. Refer to the Wordfence Vulnerability Report and Ryan Kozak CVE-2025-9216 Analysis for technical details. A proof of concept is available at the GitHub CVE-2025-9216 PoC.
Detection Methods for CVE-2025-9216
Indicators of Compromise
- Unexpected .php, .phtml, or other executable files present in WordPress upload directories following StoreEngine installation
- POST requests to admin-ajax.php with StoreEngine CSV import actions originating from low-privilege user accounts
- New WordPress user registrations followed by immediate CSV import requests
- Web shell signatures or outbound connections from the web server process to unknown hosts
Detection Strategies
- Monitor WordPress access logs for AJAX calls targeting the StoreEngine CSV import endpoint from non-administrator sessions
- Alert on file writes to WordPress upload paths where the written filename does not match a .csv extension
- Inspect newly created files in plugin and upload directories for PHP shebangs, eval(), base64_decode(), or system() calls
Monitoring Recommendations
- Enable WordPress audit logging to record file upload actions with associated user identity
- Deploy a web application firewall (WAF) rule set that inspects file uploads for executable content
- Track process execution originating from the web server user, particularly PHP processes spawning shells or network utilities
How to Mitigate CVE-2025-9216
Immediate Actions Required
- Update the StoreEngine plugin to a version later than 1.5.0 that contains the fix referenced in WordPress StoreEngine Changeset #3360097
- Audit WordPress upload directories for suspicious files created since StoreEngine was installed
- Review user registrations for suspicious Subscriber accounts and disable unused accounts
- Rotate WordPress administrator credentials and secret keys if compromise is suspected
Patch Information
The vendor addressed the vulnerability in the changeset committed to the WordPress plugin repository. Site administrators should upgrade StoreEngine through the WordPress plugin management interface. Review the fix in the WordPress StoreEngine Import.php Code to confirm the deployed version includes the validation logic.
Workarounds
- Deactivate the StoreEngine CSV import addon until the plugin is upgraded
- Restrict user registration or set default roles below Subscriber where feasible
- Configure the web server to deny PHP execution within WordPress upload directories using directives that block script handlers in wp-content/uploads
- Apply WAF rules that block requests to the vulnerable AJAX action from non-administrative users
# Example Apache configuration to block PHP execution in uploads
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|php3|php4|php5|phar)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

