CVE-2025-9216: 
WordPress vulnerability analysis and mitigation

The StoreEngine WordPress eCommerce Plugin contains a critical vulnerability (CVE-2025-9216) discovered in September 2025. The vulnerability affects all versions up to and including 1.5.0 and allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server through the CSV Import/Export feature. This security flaw stems from missing file type validation in the import() function (GitHub POC, NVD).

The vulnerability exists due to two main security flaws: 1) The CSV import endpoint lacks proper file validation checks and permission controls, relying solely on nonce verification for security, and 2) The storeengine_nonce is exposed to all frontend users through the plugin's JavaScript. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerable code is located in the import() function on line 51 of /wp-content/plugins/storeengine/addons/csv/ajax/import.php (Wordfence).

The vulnerability allows authenticated attackers to upload arbitrary files, including PHP web shells, to the affected site's server. This can lead to remote code execution capabilities, potentially giving attackers complete control over the WordPress installation. The impact is particularly severe as it affects users with minimal privileges (Subscriber level) (Ryan Kozak).

Website administrators should immediately update the StoreEngine plugin to version 1.5.2 or later, which includes patches for this vulnerability. If immediate updating is not possible, it is recommended to disable the CSV Import/Export feature until the update can be applied. Additionally, administrators should review their user roles and permissions to ensure minimal necessary access is granted (NVD).