CVE-2025-9215: 
WordPress vulnerability analysis and mitigation

The StoreEngine WordPress eCommerce Plugin (versions up to 1.5.0) contains a Path Traversal vulnerability (CVE-2025-9215) discovered on September 16, 2025. The vulnerability affects the file_download() function in the CSV Import/Export feature, allowing authenticated users with Subscriber-level access or higher to read arbitrary files on the server (NVD, Researcher Blog).

The vulnerability stems from improper path sanitization in the storeengine_csv/file_download endpoint, which only relies on nonce verification for security. The critical issue is that the storeengine_nonce is exposed to all frontend users through the plugin's JavaScript. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The weakness is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, GitHub POC).

When exploited, this vulnerability allows authenticated attackers to read the contents of arbitrary files on the server, including sensitive system files, WordPress configuration files, and plugin source code. This can lead to exposure of critical information such as database credentials, API keys, and security salts (Researcher Blog).

The vulnerability was patched in version 1.5.1 of the StoreEngine plugin, which implements proper path validation and sanitization. The fix includes checking if the requested file path is within the intended directory using realpath() function and comparing it against the upload directory path (WordPress Changeset).