Arbitrary File Read Vulnerability in eMagicOne Store Manager for WooCommerce by WordPress
CVE-2025-4602

5.9MEDIUM

Key Information:

Vendor: WordPress
Status: Emagicone Store Manager For WooCommerce
Vendor: CVE Published:; 24 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-4602?

The eMagicOne Store Manager for WooCommerce plugin exposes a critical vulnerability allowing unauthenticated attackers to exploit arbitrary file reads. This issue affects all versions up to and including 1.2.5, particularly in default configurations where the default password remains unchanged. Attackers can potentially read sensitive files on the server, which may expose important information including configuration details, user data, and more. Website administrators should apply the necessary patches and secure configurations to mitigate this risk.

Affected Version(s)

eMagicOne Store Manager for WooCommerce * <= 1.2.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-4602
Created by d0n601

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/store-manager-...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 24, 2025
🟡
Public PoC available
May 13, 2025
👾
Exploit known to exist
May 13, 2025
Vulnerability Reserved
May 12, 2025

Credit

Ryan Kozak