Description
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Published: 2025-05-24
Score: 9.1 Critical
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The eMagicOne Store Manager for WooCommerce plugin contains a flaw in its delete_file() function where insufficient file path validation allows anyone to delete any file on the server. An unauthenticated attacker can trigger the deletion, and if a critical file such as wp-config.php is removed, site compromise or remote code execution may result. The vulnerability is exploitable when the default administrator password remains 1:1 or when credentials are otherwise obtained.

Affected Systems

WordPress sites that run the eMagicOne Store Manager for WooCommerce plugin version 1.2.5 or earlier are impacted. The flaw applies to all builds of the plugin released up to and including 1.2.5, regardless of the underlying WordPress core version.

Risk and Exploitability

With a CVSS score of 9.1, the issue is classified as critical. An EPSS score of 1% indicates that actual exploitation, while low, is still possible. The attack vector is an unauthenticated HTTP request to the plugin’s deletion endpoint; no special user privileges are required when the default password remains unchanged. The vulnerability is not yet listed in the CISA KEV catalog, but its simplicity and high impact warrant immediate attention.

Generated by OpenCVE AI on June 18, 2026 at 06:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the eMagicOne Store Manager for WooCommerce plugin to a release that removes the delete_file flaw, checking the vendor’s release notes for a fix.
  • Replace the default administrator password (1:1) with a strong, unique credential and restrict the delete_file functionality to authenticated administrators only.
  • If an updated version is not yet available, disable or uninstall the plugin to eliminate the attack surface, or deploy a temporary patch that normalizes file paths and restricts deletions to a safe directory.

Generated by OpenCVE AI on June 18, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28028 The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00363}

epss

{'score': 0.00375}


Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00221}

epss

{'score': 0.00363}


Fri, 11 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Emagicone
Emagicone emagicone Store Manager For Woocommerce
CPEs cpe:2.3:a:emagicone:emagicone_store_manager_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Emagicone
Emagicone emagicone Store Manager For Woocommerce

Sat, 24 May 2025 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 24 May 2025 04:00:00 +0000

Type Values Removed Values Added
Description The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Title eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}


Subscriptions

Emagicone Emagicone Store Manager For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:09.952Z

Reserved: 2025-05-12T18:07:39.510Z

Link: CVE-2025-4603

cve-icon Vulnrichment

Updated: 2025-05-24T10:03:15.532Z

cve-icon NVD

Status : Modified

Published: 2025-05-24T04:15:30.767

Modified: 2026-06-17T09:33:36.563

Link: CVE-2025-4603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:00:16Z

Weaknesses
  • CWE-73

    External Control of File Name or Path