cbcvebase.
CVE-2025-10162
published 2025-10-07

CVE-2025-10162: The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.69%
88.3th percentile
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/wooconvo/v1/download-file?order_id=1&filename=../../../../wp-config.php
path/wp-json/wooconvo/v1/download-file
path../../../../wp-config.php
url{{BaseURL}}/wp-json/wooconvo/v1/download-file?order_id=1&filename=../../../../wp-config.php
  • Detect unauthenticated GET requests to the WooConvo REST API download endpoint with path traversal sequences (../) in the 'filename' parameter.
  • Alert on HTTP 200 responses from /wp-json/wooconvo/v1/download-file containing WordPress credential strings such as 'DB_NAME' and 'DB_PASSWORD', indicating successful wp-config.php exfiltration.
  • No authentication is required to exploit this endpoint; monitor for requests to /wp-json/wooconvo/v1/download-file from unauthenticated (no session/nonce) clients.
  • ·The exploit targets plugin versions prior to 14 (tested on 13.5). Patched installations (version 14+) validate the download path and are not vulnerable.
  • ·The path traversal depth required to escape the web root may vary by server configuration; attackers may use deeper sequences (e.g., ../../../../../etc/passwd) beyond the default four levels shown.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.