CVE-2025-48148: 
WordPress vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-48148) was discovered in the StoreKeeper for WooCommerce WordPress plugin, affecting all versions up to and including 14.4.4. The vulnerability was disclosed on July 31, 2025, and allows unauthenticated attackers to perform arbitrary file uploads due to missing file type validation (Rapid7, Patchstack).

The vulnerability is classified as an Arbitrary File Upload issue, stemming from inadequate file type validation in the plugin's functionality. It has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Rapid7).

The vulnerability allows attackers to upload arbitrary files to the affected site's server, potentially enabling remote code execution. This could lead to complete compromise of the affected WordPress installation, allowing attackers to gain unauthorized access and control over the website (Rapid7, Patchstack).

Website administrators are strongly advised to update to version 14.4.5 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version. The vulnerability was initially reported by researcher theviper17 on June 20, 2025, and a fix was released shortly after disclosure (Patchstack).