CVE-2025-10162

OrderConvo < 14 - Unauthenticated Arbitrary File Read

CVSS 7.5 HIGHEPSS 3.7%

The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Unknown · Admin and Customer Messages After Order for WooCommerce: OrderConvo

public PoCs found — 3

githubgithub.com/diamorphine666/CVE-2025-10162-Exploit★ 0 cve_referencewpscan.com/vulnerability/f878615d-955d-4365-87e0-6c928f548986/unverified exploitdbwww.exploit-db.com/exploits/52607unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/f878615d-955d-4365-87e0-6c928f548986/