CVE-2025-39568: 
WordPress vulnerability analysis and mitigation

A path traversal vulnerability was discovered in Arture B.V. StoreContrl Woocommerce plugin affecting versions through 4.1.3. The vulnerability allows attackers to perform path traversal attacks, potentially accessing files outside of intended directories (NVD, Patchstack).

The vulnerability is classified as a high severity issue with a CVSS v3.1 base score of 7.5 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high impact on confidentiality (C:H) but no impact on integrity (I:N) or availability (A:N) (Patchstack).

The vulnerability allows malicious actors to download any file from the affected website, including sensitive files containing login credentials or backup files. This poses a significant risk to the confidentiality of data stored on affected systems (Patchstack).

Users are advised to update to version 4.1.4 or later to resolve the vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).

The vulnerability was initially reported by security researcher astra.r3verii on March 26, 2025. Patchstack issued an early warning to their customers on April 17, 2025, before publishing the vulnerability publicly on April 19, 2025 (Patchstack).