vulnerability

WordPress Plugin: store-manager-connector: CVE-2025-4602: External Control of File Name or Path

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:M/Au:N/C:C/I:N/A:N)	May 23, 2025	Nov 6, 2025	Nov 6, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:C/I:N/A:N)

Published

May 23, 2025

Added

Nov 6, 2025

Modified

Nov 6, 2025

Description

The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Reads in all versions up to, and including, 1.2.5 via the get_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.

Solution

store-manager-connector-plugin-cve-2025-4602

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-4602
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/20caab24-4af7-4592-9b18-f2f5acb423c9?source=api-prod
CVE-2025-4602
https://attackerkb.com/topics/CVE-2025-4602
CWE-73

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today