The eMagicOne Store Manager for WooCommerce plugin for WordPress suffers from an unrestricted file upload vulnerability (CWE-434) identified as CVE-2025-5058. The root cause lies in the set_image() function, which lacks proper validation of uploaded file types, allowing attackers to upload arbitrary files, including potentially malicious scripts. This vulnerability is exploitable without authentication only if the default password remains unchanged (username: 1, password: 1) or if attackers have obtained valid credentials through other means. Successful exploitation can lead to remote code execution on the affected server, enabling attackers to execute arbitrary commands, escalate privileges, and compromise the entire system. The vulnerability affects all plugin versions up to 1.2.5, with no patches currently available. The CVSS v3.1 base score is 9.8, reflecting the ease of exploitation (network vector, no privileges, no user interaction) and the critical impact on confidentiality, integrity, and availability. While no active exploits have been reported, the vulnerability poses a high risk to WooCommerce sites using this plugin, especially those with weak or default credentials.

If exploited, this vulnerability can lead to complete compromise of affected WordPress sites running the eMagicOne Store Manager for WooCommerce plugin. Attackers can upload malicious files, such as web shells, enabling remote code execution, data theft, defacement, or pivoting to internal networks. The integrity of e-commerce data, including customer information and transaction records, can be severely impacted. Availability may also be disrupted through destructive payloads or denial-of-service conditions. Organizations relying on this plugin for online sales face reputational damage, financial loss, and regulatory compliance risks. The threat is amplified in environments where default credentials are not changed or where credential theft occurs, making the attack vector accessible to unauthenticated adversaries. Given WooCommerce's widespread use globally, the potential impact is broad and significant.

1. Immediately change default credentials from the insecure '1:1' to strong, unique usernames and passwords to prevent unauthenticated exploitation. 2. Restrict access to the plugin's management interfaces using IP whitelisting or VPNs to reduce exposure. 3. Monitor web server logs for suspicious file upload attempts or unexpected file types in upload directories. 4. Implement Web Application Firewalls (WAFs) with rules to detect and block arbitrary file upload patterns targeting this plugin. 5. Disable or restrict file execution permissions in upload directories to limit the impact of malicious files. 6. Regularly audit installed plugins and remove unused or outdated ones. 7. Stay alert for official patches or updates from the vendor and apply them promptly once available. 8. Employ intrusion detection systems to identify anomalous activities related to file uploads or remote code execution attempts. 9. Educate administrators on the risks of default credentials and enforce credential management policies. 10. Consider isolating WordPress instances in containerized or sandboxed environments to limit lateral movement if compromised.