Description
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Reads in all versions up to, and including, 1.2.5 via the get_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Published: 2025-05-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

The eMagicOne Store Manager for WooCommerce plugin contains a flaw in the get_file() function that allows attackers to request the contents of any file on the server; the vulnerability is tied to improper path handling and is classified as CWE‑73, enabling disclosure of sensitive information such as configuration files and credentials. This flaw is limited to unauthenticated attackers when the default password (1:1) remains unchanged or when the attacker has acquired credentials via other means, but once privilege is obtained, the attacker can read arbitrary files. The impact is primarily confidentiality loss, as data from the server can be accessed without authorization.

Affected Systems

The vulnerability affects the emagicone eMagicOne Store Manager for WooCommerce plugin for WordPress in all versions up to and including 1.2.5; no other products or vendors are reported to be impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% suggests a very low exploitation probability under current conditions; the vulnerability is not listed in the CISA KEV catalog. An attacker would need access to the plugin’s default password or to valid login credentials, after which a simple HTTP request can trigger the file read, so the risk is contingent upon the default password policy and credential security

Generated by OpenCVE AI on April 22, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 1.2.6 or later to eliminate the vulnerable get_file() behavior.
  • If an update cannot be applied immediately, change the default password from 1:1 to a strong, unique value to block unauthenticated access.
  • Configure the web server or use .htaccess rules to block direct access to plugin files and enforce server‑side validation of requested paths to prevent arbitrary file reads.

Generated by OpenCVE AI on April 22, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28027 The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Reads in all versions up to, and including, 1.2.5 via the get_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00083}

 epss

{'score': 0.00087}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0009}

 epss

{'score': 0.00083}

Fri, 11 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Emagicone
Emagicone emagicone Store Manager For Woocommerce
CPEs cpe:2.3:a:emagicone:emagicone_store_manager_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Emagicone
Emagicone emagicone Store Manager For Woocommerce

Sat, 24 May 2025 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 24 May 2025 04:00:00 +0000

Type Values Removed Values Added
Description The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Reads in all versions up to, and including, 1.2.5 via the get_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Title eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Read
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Emagicone Emagicone Store Manager For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:18.408Z

Reserved: 2025-05-12T18:05:57.416Z

Link: CVE-2025-4602

cve-icon Vulnrichment

Updated: 2025-05-24T10:03:54.985Z

cve-icon NVD

Status : Modified

Published: 2025-05-24T04:15:28.293

Modified: 2026-04-08T17:20:45.580

Link: CVE-2025-4602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses