CVE-2025-10162: 
WordPress vulnerability analysis and mitigation

The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before version 14 contains a path traversal vulnerability identified as CVE-2025-10162. The vulnerability was discovered by Khaled Alenazi (Nxploited) and was publicly disclosed on September 16, 2025. This security flaw affects the file download functionality in the plugin (WPScan).

The vulnerability stems from improper validation of file paths in the download functionality. The plugin exposes an API endpoint at /wp-json/wooconvo/v1/download-file that accepts parameters 'order_id' and 'filename' without proper path validation. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no privileges required (WPScan).

The vulnerability allows unauthenticated attackers to read and download arbitrary files from the affected WordPress installation through path traversal attacks. This could potentially expose sensitive information such as configuration files, including wp-config.php, which typically contains database credentials and other critical system information (WPScan).

The vulnerability has been fixed in version 14 of the OrderConvo plugin. Site administrators are strongly advised to update to this version immediately. No alternative workarounds have been publicly documented (WPScan).