CVE-2025-39568
Published: 17 April 2025
Summary
CVE-2025-39568 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 24.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a path traversal flaw, tracked as CWE-22, in the StoreContrl Woocommerce plugin (storecontrl-wp-connection) developed by Arture B.V. It affects all versions through 4.1.3 and carries a CVSS 3.1 score of 7.5, reflecting network-accessible exploitation with no required credentials or user interaction and high impact on confidentiality.
An unauthenticated remote attacker can supply crafted path sequences to the affected plugin endpoint, enabling retrieval of arbitrary files outside the intended web root. Successful exploitation yields access to sensitive server-side data such as configuration files or application secrets without modifying content or causing denial of service.
The Patchstack advisory identifies the issue as an arbitrary file download vulnerability and directs administrators to apply the vendor-supplied update that resolves the improper pathname limitation in versions newer than 4.1.3. The associated EPSS score remains low, with a current value of 0.0086 and a peak of 0.0117.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11751
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Arture B.V. StoreContrl Woocommerce storecontrl-wp-connection allows Path Traversal.This issue affects StoreContrl Woocommerce: from n/a through <= 4.1.3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.