CVE-2025-4603: 
WordPress vulnerability analysis and mitigation

The eMagicOne Store Manager for WooCommerce plugin for WordPress contains an arbitrary file deletion vulnerability (CVE-2025-4603) in versions up to and including 1.2.5. The vulnerability exists due to insufficient file path validation in the delete_file() function. This security flaw allows unauthenticated attackers to delete arbitrary files on the server when the default credentials (1:1) are left unchanged or when an attacker obtains valid credentials (NVD, GitHub POC).

The vulnerability stems from the plugin's remote management protocol endpoint (?connector=bridge) that handles file deletion operations. The authentication mechanism relies on default credentials (login=1, password=1) and a session key system. The default hash used for authentication is calculated as md5('1' . '1') = c4ca4238a0b923820dcc509a6f75849b. Once authenticated, an attacker can obtain a session key and use the delete_file task to remove arbitrary files from the WordPress root or any accessible directory. The CVSS v3.1 score for this vulnerability is 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) (NVD, Ryan Kozak).

The successful exploitation of this vulnerability can lead to the deletion of critical files on the server, such as wp-config.php, which can result in website disruption and potential remote code execution. The ability to delete arbitrary files poses a severe risk to the integrity and availability of the WordPress installation (GitHub POC).

Website administrators using the eMagicOne Store Manager for WooCommerce plugin should immediately change the default credentials from their 1:1 values. Additionally, upgrading to a version newer than 1.2.5 is recommended once a patch is available (NVD).