Description
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Published: 2025-05-24
Score: 8.1 High
EPSS: 1.9% Low
KEV: No
Impact: Remote Code Execution via arbitrary file upload
Action: Patch Now
AI Analysis

Impact

The eMagicOne Store Manager for WooCommerce plugin allows unauthenticated users to upload any file type because the set_file() function lacks type validation. An attacker can place malicious scripts on the server, which may be executed to compromise the WordPress site, its database, and potentially the underlying operating system. This flaw is classified as CWE-434 and can lead to full remote code execution if the uploaded file is a PHP payload or other executable code.

Affected Systems

The vulnerability affects all installations of eMagicOne Store Manager for WooCommerce version 1.2.5 and earlier. The product is a WordPress plugin developed by emagicone and identified by the CPE cpe:2.3:a:emagicone:emagicone_store_manager_for_woocommerce. Sites running default credentials or no authentication can be targeted. The issue exists in all default configuration scenarios and does not require administrative privileges.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of 2% shows a modest likelihood of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers can exploit this weakness remotely via normal HTTP requests to the plugin’s set_file endpoint, without the need for login if the site uses default credentials or is otherwise insecure. Because the flaw permits arbitrary file upload, immediate remediation is strongly recommended.

Generated by OpenCVE AI on April 21, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the eMagicOne Store Manager for WooCommerce plugin to version 1.3 or later to remove the upload vulnerability.
  • Restrict uploaded file types to only those explicitly required, such as images, by configuring the plugin’s allowed mime types or implementing a server‑side filter.
  • Disable the plugin or remove it entirely if the store manager is no longer needed, and ensure the default WordPress admin password is changed from the insecure 1:1 value.

Generated by OpenCVE AI on April 21, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28003 The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00113}

 epss

{'score': 0.00338}

Fri, 11 Jul 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Emagicone
Emagicone emagicone Store Manager For Woocommerce
CPEs cpe:2.3:a:emagicone:emagicone_store_manager_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Emagicone
Emagicone emagicone Store Manager For Woocommerce

Sat, 24 May 2025 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 24 May 2025 04:00:00 +0000

Type Values Removed Values Added
Description The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Title eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_file()
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Emagicone Emagicone Store Manager For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:59.138Z

Reserved: 2025-05-05T15:40:59.839Z

Link: CVE-2025-4336

cve-icon Vulnrichment

Updated: 2025-05-24T10:00:51.346Z

cve-icon NVD

Status : Modified

Published: 2025-05-24T04:15:27.513

Modified: 2026-04-08T18:24:47.480

Link: CVE-2025-4336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses