Impact
The eMagicOne Store Manager for WooCommerce plugin contains a flaw in its delete_file() function where insufficient file path validation allows anyone to delete any file on the server. An unauthenticated attacker can trigger the deletion, and if a critical file such as wp-config.php is removed, site compromise or remote code execution may result. The vulnerability is exploitable when the default administrator password remains 1:1 or when credentials are otherwise obtained.
Affected Systems
WordPress sites that run the eMagicOne Store Manager for WooCommerce plugin version 1.2.5 or earlier are impacted. The flaw applies to all builds of the plugin released up to and including 1.2.5, regardless of the underlying WordPress core version.
Risk and Exploitability
With a CVSS score of 9.1, the issue is classified as critical. An EPSS score of 1% indicates that actual exploitation, while low, is still possible. The attack vector is an unauthenticated HTTP request to the plugin’s deletion endpoint; no special user privileges are required when the default password remains unchanged. The vulnerability is not yet listed in the CISA KEV catalog, but its simplicity and high impact warrant immediate attention.
OpenCVE Enrichment
EUVD