CVE-2025-47687: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-47687 is an Unrestricted Upload of File with Dangerous Type vulnerability affecting StoreKeeper B.V.'s StoreKeeper for WooCommerce plugin versions through 14.4.4. The vulnerability was discovered by researcher Cút lộn xào me on March 19, 2025, and was publicly disclosed on May 9, 2025. This critical security flaw allows unauthenticated attackers to upload arbitrary files to affected WordPress websites running the StoreKeeper for WooCommerce plugin (Wiz Database, Patchstack).

The vulnerability is classified as an Arbitrary File Upload vulnerability with a CVSS v3.1 Base Score of 10.0 (Critical) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The issue falls under the OWASP Top 10 category A3: Injection and is identified by CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability allows attackers to upload arbitrary files, including web shells, to affected web servers without requiring authentication (NVD, Patchstack).

The vulnerability could allow malicious actors to upload any type of file to the affected website, including backdoors which can then be executed to gain further access to the website. Due to its high severity score and unauthenticated nature, this vulnerability is expected to become mass exploited (Wiz Database).

While no official fix is available, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Website administrators are advised to implement mitigation measures immediately (Patchstack).