Description
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Published: 2025-05-24
Score: 9.8 Critical
EPSS: 2.5% Low
KEV: No
Impact: Arbitrary File Upload (remote code execution potential)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the set_image() function of the eMagicOne Store Manager for WooCommerce plugin, where missing file type validation allows an attacker to upload any file type. This flaw enables unauthenticated remote attackers to place malicious code on the server, potentially leading to remote code execution if the uploaded file is later executed.

Affected Systems

WordPress sites running the eMagicOne Store Manager for WooCommerce plugin from vendors emagicone, with versions up to and including 1.2.5. The issue affects all installations of these versions regardless of other site configuration, unless the plugin is upgraded beyond 1.2.5.

Risk and Exploitability

The CVSS score of 9.8 classifies the flaw as critically severe. An EPSS score of 2% indicates a moderate probability that the vulnerability is actively exploited in the wild. The issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw without authentication when the default password remains in its insecure default form (1:1) or when they have obtained valid credentials. Once a file is uploaded, an attacker may be able to execute code by accessing the file directly or by leveraging additional application logic that processes uploaded files.

Generated by OpenCVE AI on April 21, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the eMagicOne Store Manager for WooCommerce plugin to the latest available version (>=1.2.6) directly from the official plugin repository or the vendor’s release page.
  • If an immediate upgrade is not possible, block the upload endpoint by configuring a .htaccess rule to deny write access or to redirect the set_image URL to a 403 response, thereby preventing uploads from reaching the vulnerable function.
  • Implement a web application firewall rule that filters requests to the set_image endpoint, rejecting any files that do not match allowed extensions or MIME types, or that carry suspicious payload signatures.

Generated by OpenCVE AI on April 21, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28373 The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00138}

 epss

{'score': 0.00336}

Fri, 11 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Emagicone
Emagicone emagicone Store Manager For Woocommerce
CPEs cpe:2.3:a:emagicone:emagicone_store_manager_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Emagicone
Emagicone emagicone Store Manager For Woocommerce

Sat, 24 May 2025 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 24 May 2025 04:00:00 +0000

Type Values Removed Values Added
Description The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Title eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image()
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Emagicone Emagicone Store Manager For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:36.718Z

Reserved: 2025-05-21T14:42:07.720Z

Link: CVE-2025-5058

cve-icon Vulnrichment

Updated: 2025-05-24T09:58:56.063Z

cve-icon NVD

Status : Modified

Published: 2025-05-24T04:15:32.560

Modified: 2026-04-08T18:24:51.830

Link: CVE-2025-5058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses