CVE-2025-10162
Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The OrderConvo plugin for WooCommerce before version 14 allows unauthenticated attackers to read arbitrary files via path traversal in file download functionality.
Vulnerability
Overview
The OrderConvo plugin for WooCommerce (versions prior to 14) fails to validate the path of files requested for download. This missing validation allows an attacker to inject directory traversal sequences (e.g., ../) into the file path parameter, enabling access to files outside the intended directory [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the plugin's file download endpoint. No authentication or special privileges are required, making the attack surface broad and easily accessible [1].
Impact
Successful exploitation allows the attacker to read arbitrary files from the WordPress installation, including sensitive configuration files such as wp-config.php, which may contain database credentials and other secrets. This can lead to complete compromise of the WordPress site [1].
Mitigation
The vulnerability is fixed in version 14 of the plugin. Users are strongly advised to update immediately. No workaround is available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.