CVE-2025-4602: 
WordPress vulnerability analysis and mitigation

The eMagicOne Store Manager for WooCommerce plugin for WordPress contains an Arbitrary File Read vulnerability (CVE-2025-4602) in all versions up to and including 1.2.5. The vulnerability exists in the get_file() function, which exposes a remote management protocol endpoint (?connector=bridge) that allows file operations on the server. The issue was discovered and reported by Ryan Kozak on May 23, 2025 (Researcher Blog, NVD).

The vulnerability stems from the plugin's authentication mechanism that relies on default credentials (login=1, password=1) and a session key system. An attacker can obtain a session key by sending a POST request to the bridge endpoint with a hash of the default credentials. Once authenticated, they can use the get_file task to read arbitrary files from the WordPress root or any accessible directory. The CVSS v3.1 score for this vulnerability is 5.9 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

If exploited, this vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server, which may contain sensitive information such as configuration files, encryption keys, and other confidential data. This is particularly dangerous when attackers can access the wp-config.php file, which contains database credentials and authentication keys (Researcher Blog).

Site administrators running affected versions should immediately update their plugin to a version newer than 1.2.5 when available. As a workaround, administrators should change the default credentials from their 1:1 values to strong, unique credentials to prevent unauthorized access (NVD).