CVE-2025-10162
published 2025-10-07CVE-2025-10162: The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.69%
88.3th percentile
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the WooConvo REST API download endpoint with path traversal sequences (../) in the 'filename' parameter. ↗
- →Alert on HTTP 200 responses from /wp-json/wooconvo/v1/download-file containing WordPress credential strings such as 'DB_NAME' and 'DB_PASSWORD', indicating successful wp-config.php exfiltration. ↗
- →No authentication is required to exploit this endpoint; monitor for requests to /wp-json/wooconvo/v1/download-file from unauthenticated (no session/nonce) clients. ↗
- ·The exploit targets plugin versions prior to 14 (tested on 13.5). Patched installations (version 14+) validate the download path and are not vulnerable. ↗
- ·The path traversal depth required to escape the web root may vary by server configuration; attackers may use deeper sequences (e.g., ../../../../../etc/passwd) beyond the default four levels shown. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Admin and Customer Messages After Order for WooCommerce Plugin path traversal (EUVD-2025-32606 / EDB-52607)
vuldb·2026-06-02·CVSS 7.5
CVE-2025-10162 [HIGH] Admin and Customer Messages After Order for WooCommerce Plugin path traversal (EUVD-2025-32606 / EDB-52607)
A vulnerability identified as critical has been detected in Admin and Customer Messages After Order for WooCommerce Plugin up to 13 on WordPress. This affects an unknown part. The manipulation leads to path traversal.
This vulnerability is traded as CVE-2025-10162. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
You should upgrade the affected component.
GHSA
GHSA-gwm7-3ffx-268r: The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloade
ghsa_unreviewed·2025-10-07
CVE-2025-10162 [HIGH] GHSA-gwm7-3ffx-268r: The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloade
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
No detection rules found.
Exploit-DB
WordPress OrderConvo 14 - Path Traversal
exploitdb·2026-06-01·CVSS 7.5
CVE-2025-10162 [HIGH] WordPress OrderConvo 14 - Path Traversal
WordPress OrderConvo 14 - Path Traversal
---
# Exploit Title: WordPress OrderConvo 14 - Path Traversal
# Date: 05-31-2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://www.najeebmedia.com/
# Software Link: https://wordpress.org/plugins/admin-and-client-message-after-order-for-woocommerce/
# Version: 13.5
# Tested on: Debian
# CVE : CVE-2025-10162
import httpx
import asyncio
import argparse
from urllib.parse import urljoin
import sys
async def main(base_url, file):
async with httpx.AsyncClient(verify=False) as client:
try:
print('[*] Checking connection to target')
req = await client.get(url=base_url)
if req.status_code == 200:
print('[+] The target is alive, exploiting\n')
else:
print(f'[-] Unable to connect to the target. Code: {req.status_code}')
sys.exit()
except:
print(
Nuclei
WordPress OrderConvo < 14 - Path Traversal
nuclei·CVSS 7.5
CVE-2025-10162 [HIGH] WordPress OrderConvo < 14 - Path Traversal
WordPress OrderConvo < 14 - Path Traversal
WooCommerce OrderConvo WordPress plugin \u003C 14 contains a path traversal vulnerability caused by improper validation of file download paths, letting unauthenticated attackers read or download arbitrary files remotely
Template:
id: CVE-2025-10162
info:
name: WordPress OrderConvo < 14 - Path Traversal
author: 0x_Akoko
severity: high
description: |
WooCommerce OrderConvo WordPress plugin \u003C 14 contains a path traversal vulnerability caused by improper validation of file download paths, letting unauthenticated attackers read or download arbitrary files remotely
impact: |
Unauthenticated attackers can read or download arbitrary files, potentially exposing sensitive information.
remediation: |
Update firmware to a version later than 1.181.5 o
No writeups or analysis indexed.
2025-10-07
Published