Cyber Resilience

CVE-2025-10897

High

Published: 31 October 2025

Published
31 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.1625 95.0th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10897 is a high-severity Path Traversal (CWE-22) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read due to a path traversal flaw (CWE-22) in all versions through 1.9.28. The issue permits unauthenticated remote attackers to access any file readable by the web server process, with the highest impact occurring when sensitive files such as wp-config.php are retrieved.

An attacker can exploit the vulnerability over the network without authentication or user interaction, achieving disclosure of database credentials and other configuration secrets stored on the server. The CVSS 3.1 score of 8.6 reflects the combination of low attack complexity, no required privileges, and changed scope that affects the confidentiality of the underlying host.

Public references from Wordfence and the Codecanyon product page indicate that sites running the affected theme should apply vendor updates once released; no further mitigation details such as temporary workarounds are provided in the available advisories.

EPSS for the CVE rose from a low baseline to a peak of 0.2258 (current value 0.1625), signaling increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials…

more

when the wp-config.php file is read.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Arbitrary file read in public-facing WordPress theme enables T1190 (exploit public-facing app). Directly facilitates reading local files for T1005 (data from local system) and exposes credentials in files like wp-config.php for T1552.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-50992Shared CWE-22
CVE-2026-32847Shared CWE-22
CVE-2026-30869Shared CWE-22
CVE-2026-35615Shared CWE-22
CVE-2026-33077Shared CWE-22
CVE-2026-27305Shared CWE-22
CVE-2026-30403Shared CWE-22
CVE-2020-36939Shared CWE-22
CVE-2026-28679Shared CWE-22
CVE-2026-30952Shared CWE-22

Affected Assets

Codecanyon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires patching the arbitrary file read vulnerability in WooCommerce Designer Pro theme versions up to 1.9.28 to prevent unauthenticated exploitation.

prevent

Information input validation directly counters path traversal inputs enabling arbitrary file reads such as wp-config.php on WordPress servers.

preventdetect

Vulnerability monitoring and scanning identifies the high-severity CVE-2025-10897 in deployed WooCommerce Designer Pro themes, enabling timely remediation.

References