CVE-2025-5058 in Store Manager for WooCommerce Plugin
Summary
by MITRE • 05/24/2025
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2025
The CVE-2025-5058 vulnerability affects the eMagicOne Store Manager for WooCommerce plugin, a popular WordPress extension that facilitates e-commerce operations. This vulnerability stems from inadequate input validation within the set_image() function, which processes image uploads for product management. The flaw exists across all plugin versions up to and including 1.2.5, creating a persistent security risk for WordPress sites utilizing this functionality. The vulnerability represents a critical weakness in the plugin's file handling mechanisms, where proper validation of uploaded file types is completely absent, allowing attackers to bypass security restrictions through crafted file uploads.
The technical exploitation of this vulnerability occurs through the manipulation of the set_image() function which lacks proper file type validation checks. Attackers can upload malicious files with extensions that are not properly filtered or restricted, potentially including php files or other executable formats. The vulnerability is particularly dangerous because it can be exploited by unauthenticated attackers when default credentials remain unchanged, specifically when the default password is left as 1:1. This configuration creates an entry point for attackers who can leverage the plugin's upload functionality to place malicious code on the target server, effectively establishing a persistent backdoor for further exploitation.
The operational impact of this vulnerability extends beyond simple file upload capabilities and creates a significant risk for remote code execution on affected WordPress installations. When an attacker successfully uploads malicious files, they can potentially execute arbitrary code on the server, leading to complete system compromise. This allows for data exfiltration, unauthorized access to customer information, modification of product listings, and potential lateral movement within the network. The vulnerability is particularly concerning in default configurations where weak default credentials persist, as it eliminates the need for additional authentication steps that might otherwise be required for exploitation.
From a cybersecurity perspective, this vulnerability aligns with CWE-434, which describes "Unrestricted Upload of File with Dangerous Type" and represents a classic example of insecure file handling in web applications. The attack surface is further expanded through ATT&CK framework mappings to techniques such as T1078 for valid accounts and T1505.003 for server-side injection. Organizations should immediately implement mitigations including plugin updates to versions that address the file validation flaw, removal of default credentials, and implementation of additional upload restrictions. Network monitoring should be enhanced to detect suspicious file upload activities, and access controls should be strengthened to prevent unauthorized modifications to WordPress plugins. The vulnerability also highlights the importance of proper input validation and the necessity of implementing defense-in-depth strategies to protect against similar issues in other components of the WordPress ecosystem.