CVE-2025-4336

Name of the Vulnerable Software and Affected Versions eMagicOne Store Manager for WooCommerce plugin for WordPress versions up to, and including, 1.2.5

Description The issue is related to arbitrary file uploads due to missing file type validation in the set file() function. This allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially enabling remote code execution. The vulnerability is exploitable in default configurations where the default password is not changed or if an attacker gains access to the credentials.

Recommendations For versions up to, and including, 1.2.5, update to a version that includes a fix for the missing file type validation in the set file() function. As a temporary workaround, consider changing the default password and restricting access to the plugin's functionality to minimize the risk of exploitation.