#VU109830 External Control of File Name or Path in Store Manager Connector - CVE-2025-4603

Cybersecurity Help s.r.o.

Published: 2025-05-27 | Updated: 2025-05-30

Vulnerability identifier: #VU109830

Vulnerability risk: High

CVSSv4.0: 7.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2025-4603

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Store Manager Connector
Web applications / Modules and components for CMS

Vendor: eMagicOne

Description

The vulnerability allows a remote attacker to delete arbitrary files.

The vulnerability exists due to insufficient file path validation in the delete_file() function. A remote attacker can delete arbitrary files on the target server.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Store Manager Connector: 1.2.0 - 1.2.5

External links
https://github.com/d0n601/CVE-2025-4603/
https://plugins.trac.wordpress.org/browser/store-manager-connector/trunk/classes/class-emosmconnectorcommon.php#L2167
https://plugins.trac.wordpress.org/browser/store-manager-connector/trunk/classes/class-emosmcwoocommerceoverrider.php#L380
https://plugins.trac.wordpress.org/browser/store-manager-connector/trunk/smconnector.php#L35-36
https://ryankozak.com/posts/cve-2025-4603/
https://www.wordfence.com/threat-intel/vulnerabilities/id/242ad00b-3602-4988-ab7a-76fba2e9d4cf?source=cve

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in eMagicOne Store Manager for WooCommerce plugin for WordPress