Cyber Resilience

CVE-2025-10162

High

Published: 07 October 2025

Published
07 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3920 97.4th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10162 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a path traversal flaw in the Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before version 14. The component fails to validate file paths supplied for download operations, enabling unauthorized access to files outside the intended directory.

An unauthenticated attacker can exploit the issue remotely with low attack complexity by supplying crafted path parameters in download requests. Successful exploitation grants read access to arbitrary files on the server, resulting in high confidentiality impact without affecting integrity or availability.

The EPSS score stands at 0.3920 with an identical peak value, indicating steady rather than rising exploitation interest since disclosure. The referenced WPScan advisory identifies the affected plugin versions but supplies no additional mitigation details in the available record.

EU & UK References

Vulnerability details

The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References