Home

Description

The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read.

PUBLISHED Reserved 2025-09-23 | Published 2025-10-31 | Updated 2025-10-31 | Assigner Wordfence




HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-09-23:Discovered
2025-10-30:Disclosed

Credits

István Márton finder

References

www.wordfence.com/...-bd05-4e7e-99dc-dca67064182a?source=cve

codecanyon.net/...erce-designer-pro-cmyk-card-flyer/22027731

cve.org (CVE-2025-10897)

nvd.nist.gov (CVE-2025-10897)

Download JSON