CVE-2025-10897
Published: 31 October 2025
Summary
CVE-2025-10897 is a high-severity Path Traversal (CWE-22) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read due to a path traversal flaw (CWE-22) in all versions through 1.9.28. The issue permits unauthenticated remote attackers to access any file readable by the web server process, with the highest impact occurring when sensitive files such as wp-config.php are retrieved.
An attacker can exploit the vulnerability over the network without authentication or user interaction, achieving disclosure of database credentials and other configuration secrets stored on the server. The CVSS 3.1 score of 8.6 reflects the combination of low attack complexity, no required privileges, and changed scope that affects the confidentiality of the underlying host.
Public references from Wordfence and the Codecanyon product page indicate that sites running the affected theme should apply vendor updates once released; no further mitigation details such as temporary workarounds are provided in the available advisories.
EPSS for the CVE rose from a low baseline to a peak of 0.2258 (current value 0.1625), signaling increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37310
Vulnerability details
The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials…
more
when the wp-config.php file is read.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read in public-facing WordPress theme enables T1190 (exploit public-facing app). Directly facilitates reading local files for T1005 (data from local system) and exposes credentials in files like wp-config.php for T1552.001.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires patching the arbitrary file read vulnerability in WooCommerce Designer Pro theme versions up to 1.9.28 to prevent unauthenticated exploitation.
Information input validation directly counters path traversal inputs enabling arbitrary file reads such as wp-config.php on WordPress servers.
Vulnerability monitoring and scanning identifies the high-severity CVE-2025-10897 in deployed WooCommerce Designer Pro themes, enabling timely remediation.