HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Path Traversal in WordPress OrderConvo Plugin (CVE‑2025‑10162) Exposes Sensitive Files

A critical path‑traversal flaw (CVE‑2025‑10162) in the WordPress OrderConvo plugin lets attackers read arbitrary files, including wp-config.php, putting any site that uses the plugin at risk of credential leakage and downstream compromise.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
exploit-db.com

Path Traversal in WordPress OrderConvo Plugin (CVE‑2025‑10162) Exposes Sensitive Files

What Happened — A critical path‑traversal vulnerability (CVE‑2025‑10162) was discovered in the WordPress OrderConvo plugin v13.5. An unauthenticated attacker can craft a request to wp-json/wooconvo/v1/download-file and read arbitrary files outside the web root, including wp-config.php.

Why It Matters for TPRM

  • Exposes database credentials and other secrets, enabling downstream compromise of the entire WordPress site.
  • Third‑party sites that embed the plugin inherit the risk, potentially affecting your supply chain.
  • Attackers can pivot from the compromised site to other services that share the same credentials.

Who Is Affected — E‑commerce sites, agencies, and any organization running WordPress with the OrderConvo (Admin & Client Message after Order for WooCommerce) plugin, across all industries.

Recommended Actions

  • Verify whether the plugin is installed and, if so, upgrade to a patched version or remove it immediately.
  • Rotate any credentials that may have been exposed (database passwords, API keys).
  • Conduct a file‑integrity scan for signs of unauthorized access.

Technical Notes — The vulnerability is a classic directory‑traversal flaw triggered via the filename parameter in the REST endpoint. No authentication is required. Exploit code uses HTTP GET requests with deep ../ sequences to read files such as wp-config.php. No CVE‑specific patches were released at the time of disclosure; mitigation relies on plugin removal or strict input validation. Source: Exploit‑DB 52607

📰 Original Source
https://www.exploit-db.com/exploits/52607

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →