Cyber Resilience

CVE-2025-4603

CriticalPublic PoC

Published: 24 May 2025

Published
24 May 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0302 86.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4603 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Emagicone Emagicone Store Manager For Woocommerce. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function. The flaw affects all versions up to and including 1.2.5 and is tracked as CWE-73. It carries a CVSS 3.1 score of 9.1.

Unauthenticated attackers can exploit the issue in default configurations where the connector password remains at its default value of 1:1, or after obtaining valid credentials. Successful exploitation allows deletion of arbitrary files on the server, which can be leveraged to achieve remote code execution by removing critical files such as wp-config.php.

A fix has been published in the WordPress plugin repository, referenced by changeset 3308544. The EPSS score remains flat at 0.0302 with no material increase after disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers…

more

to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability in the WordPress plugin allows unauthenticated arbitrary file deletion via a public-facing endpoint (?connector=bridge) when default credentials (1:1) are unchanged, enabling exploitation of public-facing applications (T1190), use of default accounts (T1078.001), and file deletion for indicator removal or impact (T1070.004).

Affected Assets

emagicone
emagicone store manager for woocommerce
≤ 1.2.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

References