eMagicOne Store Manager for WooCommerce Arbitrary File Read Vulnerability

A vulnerability allowing arbitrary file reads has been identified in the eMagicOne Store Manager for WooCommerce plugin for WordPress, affecting all versions through 1.2.5. The issue arises in the get_file() function, where unauthenticated attackers can read the contents of arbitrary files on the server, potentially exposing sensitive information. This vulnerability is exploitable in default configurations where the default password is not changed, or if the attacker obtains the credentials.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive files on the server, such as the WordPress configuration file, wp-config.php, which contains database credentials and other critical information.

Reproduction

To reproduce this vulnerability, send a POST request to the bridge endpoint with the default hash (md5('1' . '1')) and the task parameter set to 'get_file'. Include the entity_type and filename parameters, specifying the file to be read. The response will contain the requested file's contents.

Remediation

Users are advised to update to version 1.3.0 or later, where this vulnerability has been patched.