CVE-2025-4603

Name of the Vulnerable Software and Affected Versions eMagicOne Store Manager for WooCommerce plugin for WordPress versions 1.2.5 and earlier

Description The issue is related to insufficient file path validation in the delete file() function, allowing unauthenticated attackers to delete arbitrary files on the server. This can lead to remote code execution when specific files, such as wp-config.php, are deleted. The vulnerability is only exploitable in default configurations where the default password is left as 1:1, or where the attacker gains access to the credentials.

Recommendations For versions 1.2.5 and earlier, update to a version that includes a fix for the insufficient file path validation in the delete file() function. As a temporary workaround, consider changing the default password from 1:1 and restricting access to the delete file() function to minimize the risk of exploitation. Additionally, restrict access to sensitive files such as wp-config.php to prevent remote code execution.