Cyber Resilience

CVE-2025-39568

High

Published: 17 April 2025

Published
17 April 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0086 75.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-39568 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 24.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a path traversal flaw, tracked as CWE-22, in the StoreContrl Woocommerce plugin (storecontrl-wp-connection) developed by Arture B.V. It affects all versions through 4.1.3 and carries a CVSS 3.1 score of 7.5, reflecting network-accessible exploitation with no required credentials or user interaction and high impact on confidentiality.

An unauthenticated remote attacker can supply crafted path sequences to the affected plugin endpoint, enabling retrieval of arbitrary files outside the intended web root. Successful exploitation yields access to sensitive server-side data such as configuration files or application secrets without modifying content or causing denial of service.

The Patchstack advisory identifies the issue as an arbitrary file download vulnerability and directs administrators to apply the vendor-supplied update that resolves the improper pathname limitation in versions newer than 4.1.3. The associated EPSS score remains low, with a current value of 0.0086 and a peak of 0.0117.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Arture B.V. StoreContrl Woocommerce storecontrl-wp-connection allows Path Traversal.This issue affects StoreContrl Woocommerce: from n/a through <= 4.1.3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References