CVE-2025-4602 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the eMagicOne Store Manager for WooCommerce plugin for WordPress. This flaw exists in all versions up to and including 1.2.5 and allows unauthenticated attackers to read arbitrary files on the server via the get_file() function. The vulnerability arises because the plugin improperly controls file path inputs, enabling attackers to specify arbitrary file paths. However, exploitation is contingent on the attacker either leveraging the default weak credentials (username and password set to '1:1') or having access to valid credentials, which limits the attack vector primarily to misconfigured or compromised installations. Successful exploitation can lead to disclosure of sensitive files such as configuration files, database backups, or other critical data stored on the server, compromising confidentiality. The vulnerability does not allow modification or deletion of files, nor does it affect system availability. The CVSS v3.1 base score is 5.9, with vector metrics indicating network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to confidentiality. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability was publicly disclosed on May 24, 2025, and assigned by Wordfence. The plugin is widely used in e-commerce environments running WooCommerce, a popular WordPress extension, making this a relevant threat to many online retailers.

The primary impact of CVE-2025-4602 is unauthorized disclosure of sensitive information stored on the web server hosting the vulnerable plugin. This can include configuration files, database credentials, private keys, or customer data, which attackers can leverage for further attacks such as privilege escalation, data theft, or targeted phishing. Although the vulnerability does not allow modification or deletion of files, the exposure of confidential data can lead to significant reputational damage, regulatory penalties (especially under data protection laws like GDPR), and financial losses. Organizations with default or weak credentials are particularly vulnerable, increasing the risk of widespread exploitation in poorly managed environments. Since WooCommerce powers a large number of online stores globally, the potential scale of impact is considerable, especially for small to medium-sized businesses that may not have robust security practices. The lack of known exploits in the wild suggests limited active exploitation currently, but the ease of exploitation under default credential conditions means risk remains high if configurations are not hardened.

To mitigate CVE-2025-4602, organizations should immediately change any default or weak passwords associated with the eMagicOne Store Manager for WooCommerce plugin to strong, unique credentials. Restrict access to the plugin's administrative interfaces using IP whitelisting or VPNs to reduce exposure. Implement web application firewalls (WAFs) with rules to detect and block attempts to exploit arbitrary file read vulnerabilities. Regularly audit and monitor access logs for suspicious activity indicative of unauthorized file access attempts. Update the plugin to the latest version as soon as a patch becomes available from the vendor. In the absence of an official patch, consider disabling or uninstalling the plugin if it is not essential. Additionally, apply the principle of least privilege to the web server and file system permissions to limit the files accessible by the plugin. Conduct security awareness training for administrators to avoid leaving default credentials in place. Finally, maintain regular backups and ensure sensitive data is encrypted at rest to minimize damage from potential data leaks.