Security Flaws in eMagicOne Store Manager for WooCommerce in WordPress (CVE-2025-5058 and CVE-2025-4603)

This report describes two critical vulnerabilities in the eMagicOne Store Manager for WooCommerce plugin (CVE-2025-5058 and CVE-2025-4603). CVE-2025-5058 allows arbitrary file upload via the bridge endpoint's set_image task due to improper file type validation, while CVE-2025-4603 permits arbitrary file deletion via delete_file due to insufficient path validation. Both issues can enable remote code execution and full server compromise, particularly when default authentication (login=1, password=1) is left unchanged; mitigations include changing default credentials, applying patches, and enforcing strict server-side file validation and permissions.