CVE-2025-10162 in Admin and Customer Messages After Order for WooCommerce Plugin
Summary
by MITRE • 10/07/2025
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/02/2026
The vulnerability identified as CVE-2025-10162 affects the OrderConvo WordPress plugin for WooCommerce, specifically versions prior to 14. This issue represents a critical path traversal flaw that undermines the security controls designed to protect file access within the plugin's administrative and customer messaging functionality. The vulnerability stems from insufficient input validation mechanisms that fail to properly sanitize file path references, creating an exploitable condition that allows attackers to bypass normal access controls and retrieve sensitive files from the server.
The technical implementation of this vulnerability resides in the plugin's file download handling mechanism where user-supplied path parameters are directly processed without adequate validation or sanitization. This flaw falls under the Common Weakness Enumeration category of path traversal attacks, specifically CWE-22 which describes improper limitation of a pathname to a restricted directory. The vulnerability allows unauthenticated attackers to manipulate file path references and access files that should normally be restricted to authorized users only, potentially including configuration files, database credentials, or other sensitive system data. The attack vector exploits the absence of proper path normalization and validation checks that should prevent directory traversal sequences such as ../ or ..\ from being processed.
Operationally, this vulnerability poses significant risks to WordPress installations utilizing the affected plugin, as it enables attackers to gain unauthorized access to sensitive information without requiring valid credentials. The impact extends beyond simple information disclosure to potentially provide attackers with system insights that could facilitate further exploitation, including access to plugin configuration files, user data, or even server-side files that contain authentication credentials. The unauthenticated nature of the attack means that any user with access to the affected WordPress site can exploit this vulnerability, making it particularly dangerous in environments where the plugin is widely deployed.
Organizations should immediately upgrade to version 14 or later of the OrderConvo plugin to remediate this vulnerability, as no effective workarounds exist for this particular flaw. The mitigation strategy involves implementing proper input validation and sanitization of all file path parameters, ensuring that any user-supplied path data is normalized and checked against a whitelist of acceptable directories. Security controls should include implementing proper access controls that restrict file access based on user roles and permissions, as well as deploying web application firewalls that can detect and block path traversal attempts. This vulnerability aligns with tactics described in the MITRE ATT&CK framework under the T1083 technique for discovering system information, where attackers seek to gather intelligence about the target system's file structure and accessible resources. Organizations should also conduct comprehensive security assessments of their WordPress installations to identify other potentially vulnerable plugins and ensure that all security patches are applied promptly to prevent exploitation of similar vulnerabilities in the broader WordPress ecosystem.