Home

Description

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks.

PUBLISHED Reserved 2025-09-13 | Published 2025-10-15 | Updated 2025-10-15 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 3.1
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/d8bdd2d4-c03c-4e7f-9c8a-6efc010311b6/ exploit vdb-entry technical-description

cve.org (CVE-2025-10406)

nvd.nist.gov (CVE-2025-10406)

Download JSON