CVE-2025-5058

Name of the Vulnerable Software and Affected Versions eMagicOne Store Manager for WooCommerce plugin for WordPress versions 1.2.5 and earlier

Description The issue arises from missing file type validation in the set image() function, allowing unauthenticated attackers to upload arbitrary files on the affected site's server. This could potentially lead to remote code execution. The vulnerability is only exploitable in default configurations where the default password is left as 1:1, or where the attacker gains access to the credentials.

Recommendations For versions 1.2.5 and earlier, update to a version that includes the fix for the missing file type validation in the set image() function. As a temporary workaround, consider changing the default password from 1:1 and restricting access to the set image() function until a patch is available. Restrict access to the affected plugin to minimize the risk of exploitation.