CVE-2025-4603 is a critical security vulnerability classified under CWE-73 (External Control of File Name or Path) found in the eMagicOne Store Manager for WooCommerce plugin for WordPress. The vulnerability arises from insufficient validation of file paths in the delete_file() function, allowing attackers to specify arbitrary file paths for deletion. This flaw enables unauthenticated attackers to delete any file on the server if they can authenticate using default credentials (password set to 1:1) or if they have obtained valid credentials through other means. Deleting sensitive files such as wp-config.php can lead to remote code execution, compromising the entire WordPress installation and potentially the underlying server. The vulnerability affects all plugin versions up to and including 1.2.5. The CVSS v3.1 base score is 9.1, reflecting a critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on integrity and availability. Although no exploits have been reported in the wild yet, the ease of exploitation under default or compromised credential scenarios makes this a significant threat. The vulnerability was publicly disclosed on May 24, 2025, and no official patches are currently linked, emphasizing the need for immediate defensive actions.

The impact of CVE-2025-4603 is severe for organizations using the affected plugin. Successful exploitation allows attackers to delete arbitrary files on the server, which can disrupt website availability and integrity. More critically, deletion of configuration files like wp-config.php can enable remote code execution, leading to full server compromise. This can result in data breaches, defacement, service outages, and lateral movement within the network. E-commerce sites relying on WooCommerce are particularly at risk, as compromise could lead to theft of customer data, payment information, and loss of business continuity. The vulnerability’s exploitation does not require user interaction and can be performed remotely, increasing the attack surface. Organizations with default or weak credentials are especially vulnerable, amplifying the risk of automated or opportunistic attacks. The absence of known exploits in the wild currently provides a window for mitigation, but the critical nature of the flaw demands urgent attention.

1. Immediately change any default credentials associated with the eMagicOne Store Manager for WooCommerce plugin, especially the default password 1:1, to strong, unique passwords. 2. Restrict access to the plugin’s management interfaces using IP whitelisting, VPNs, or other network access controls to limit exposure. 3. Monitor server and application logs for suspicious file deletion attempts or unauthorized access patterns. 4. Implement file integrity monitoring to detect unexpected deletions or modifications of critical files such as wp-config.php. 5. Apply principle of least privilege to the web server and plugin file permissions to minimize the impact of file deletions. 6. Regularly back up website files and databases to enable rapid recovery in case of compromise. 7. Stay alert for official patches or updates from the vendor and apply them promptly once released. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting file deletion endpoints. 9. Educate administrators about the risks of default credentials and enforce strong authentication policies. 10. Conduct periodic security assessments of WordPress plugins and configurations to identify and remediate vulnerabilities proactively.