Home

Description

The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack

PUBLISHED Reserved 2025-09-09 | Published 2025-10-07 | Updated 2025-10-07 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 14
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/f878615d-955d-4365-87e0-6c928f548986/ exploit vdb-entry technical-description

cve.org (CVE-2025-10162)

nvd.nist.gov (CVE-2025-10162)

Download JSON