Description
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Published: 2025-05-24
Score: 9.1 Critical
EPSS: 3.0% Low
KEV: No
Impact: Arbitrary File Deletion leading to Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The eMagicOne Store Manager for WooCommerce plugin contains a flaw in its delete_file() function where file path validation is insufficient, allowing an attacker to delete any file on the server. This unchecked deletion can target critical files such as wp-config.php, enabling remote code execution or site compromise. The vulnerability is exploitable by unauthenticated users when the default password remains 1:1 or when credential compromise occurs.

Affected Systems

WordPress sites running the eMagicOne Store Manager for WooCommerce plugin version 1.2.5 or older are affected. The flaw exists across all releases up to and including 1.2.5 and is not limited to any specific WordPress version.

Risk and Exploitability

The CVSS score of 9.1 classifies this as a critical vulnerability, and an EPSS score of 3% indicates a moderate likelihood of exploitation. The attacker does not require special credentials if the default password is still set, making the attack vector essentially any unauthenticated web request to the plugin’s deletion endpoint. Though not yet listed in the CISA KEV catalog, the straightforward nature of the exploit and the high impact warrant immediate attention.

Generated by OpenCVE AI on April 28, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the eMagicOne Store Manager for WooCommerce plugin to the latest version (1.2.6 or newer) where the delete_file() path validation has been corrected.
  • Replace the default password (1:1) with a strong, unique password to prevent unauthorized access to the plugin’s deletion functionality.
  • Check the vendor’s website or WordPress plugin repository for updates and security notices, or uninstall the plugin if it is not required to eliminate the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28028 The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00363}

 epss

{'score': 0.00375}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00221}

 epss

{'score': 0.00363}

Fri, 11 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Emagicone
Emagicone emagicone Store Manager For Woocommerce
CPEs cpe:2.3:a:emagicone:emagicone_store_manager_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Emagicone
Emagicone emagicone Store Manager For Woocommerce

Sat, 24 May 2025 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 24 May 2025 04:00:00 +0000

Type Values Removed Values Added
Description The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Title eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Emagicone Emagicone Store Manager For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:09.952Z

Reserved: 2025-05-12T18:07:39.510Z

Link: CVE-2025-4603

cve-icon Vulnrichment

Updated: 2025-05-24T10:03:15.532Z

cve-icon NVD

Status : Modified

Published: 2025-05-24T04:15:30.767

Modified: 2026-04-08T17:20:45.730

Link: CVE-2025-4603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:45:18Z

Weaknesses