CVE-2025-4603
Published: 24 May 2025
Summary
CVE-2025-4603 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Emagicone Emagicone Store Manager For Woocommerce. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function. The flaw affects all versions up to and including 1.2.5 and is tracked as CWE-73. It carries a CVSS 3.1 score of 9.1.
Unauthenticated attackers can exploit the issue in default configurations where the connector password remains at its default value of 1:1, or after obtaining valid credentials. Successful exploitation allows deletion of arbitrary files on the server, which can be leveraged to achieve remote code execution by removing critical files such as wp-config.php.
A fix has been published in the WordPress plugin repository, referenced by changeset 3308544. The EPSS score remains flat at 0.0302 with no material increase after disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28028
Vulnerability details
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers…
more
to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the WordPress plugin allows unauthenticated arbitrary file deletion via a public-facing endpoint (?connector=bridge) when default credentials (1:1) are unchanged, enabling exploitation of public-facing applications (T1190), use of default accounts (T1078.001), and file deletion for indicator removal or impact (T1070.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Rejects externally supplied file or resource identifiers that fail validity checks.