CVE-2025-10162 Scanner

The WordPress OrderConvo plugin is a widely used add-on specifically crafted for WooCommerce sites, enabling seamless communication between vendors and customers. It streamlines order-related conversations, providing a straightforward interface for message exchanges. Businesses and customers globally rely on it to enhance their shopping experience. Its primary users are e-commerce websites on WordPress platforms, with a significant share of mid-sized to large enterprises utilizing this tool. OrderConvo is popular due to its ability to improve customer service and boost engagement on eCommerce platforms.

Path Traversal is a serious security vulnerability that allows unauthorized users to access files and directories outside of the web root folder. Attackers exploit this by manipulating variables that reference files, using specially crafted inputs to traverse directory paths. The OrderConvo plugin's vulnerability stems from inadequate validation of the paths used in file download processes. This lack of validation allows potential threats to gain access to sensitive information stored on the server, bypassing normal authentication barriers. It's crucial for plugin users to understand this risk to prevent unauthorized data exposure.

The vulnerability exists due to unsafe handling of path inputs in the WooCommerce OrderConvo plugin. Specifically, the 'download-file' functionality in the plugin's API can be exploited with crafted GET requests. Attackers might manipulate parameters such as 'order_id' and 'filename' to include directory traversal sequences like '../../../'. This can lead to accessing files like 'wp-config.php', which contain sensitive information. The vulnerability is easily exploitable, as the endpoint lacks sufficient checks on input parameters, making it a prime target for malicious actors.

Exploitation of this vulnerability can have severe consequences for affected websites. Unauthorized file access might lead to exposure of sensitive data, such as database credentials, API keys, and application configurations. Consequently, it could facilitate further attacks on the compromised system, such as modifying site data, injecting malicious code, or even gaining full control of the site. Businesses could suffer significant reputational and financial damages if sensitive customer data is leaked. It's imperative for site administrators to mitigate this risk by applying security best practices promptly.

REFERENCES

• https://wpscan.com/vulnerability/f878615d-955d-4365-87e0-6c928f548986/
• https://wordpress.org/plugins/admin-and-client-message-after-order-for-woocommerce/
• https://nvd.nist.gov/vuln/detail/CVE-2025-10162