Path Traversal in WordPress OrderConvo Plugin (CVE‑2025‑10162) Exposes Sensitive Files
What Happened — A critical path‑traversal vulnerability (CVE‑2025‑10162) was discovered in the WordPress OrderConvo plugin v13.5. An unauthenticated attacker can craft a request to wp-json/wooconvo/v1/download-file and read arbitrary files outside the web root, including wp-config.php.
Why It Matters for TPRM —
- Exposes database credentials and other secrets, enabling downstream compromise of the entire WordPress site.
- Third‑party sites that embed the plugin inherit the risk, potentially affecting your supply chain.
- Attackers can pivot from the compromised site to other services that share the same credentials.
Who Is Affected — E‑commerce sites, agencies, and any organization running WordPress with the OrderConvo (Admin & Client Message after Order for WooCommerce) plugin, across all industries.
Recommended Actions —
- Verify whether the plugin is installed and, if so, upgrade to a patched version or remove it immediately.
- Rotate any credentials that may have been exposed (database passwords, API keys).
- Conduct a file‑integrity scan for signs of unauthorized access.
Technical Notes — The vulnerability is a classic directory‑traversal flaw triggered via the filename parameter in the REST endpoint. No authentication is required. Exploit code uses HTTP GET requests with deep ../ sequences to read files such as wp-config.php. No CVE‑specific patches were released at the time of disclosure; mitigation relies on plugin removal or strict input validation. Source: Exploit‑DB 52607