CVE-2025-10162
Published: 07 October 2025
Summary
CVE-2025-10162 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a path traversal flaw in the Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before version 14. The component fails to validate file paths supplied for download operations, enabling unauthorized access to files outside the intended directory.
An unauthenticated attacker can exploit the issue remotely with low attack complexity by supplying crafted path parameters in download requests. Successful exploitation grants read access to arbitrary files on the server, resulting in high confidentiality impact without affecting integrity or availability.
The EPSS score stands at 0.3920 with an identical peak value, indicating steady rather than rising exploitation interest since disclosure. The referenced WPScan advisory identifies the affected plugin versions but supplies no additional mitigation details in the available record.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32090
Vulnerability details
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.