CVE-2025-10406: 
WordPress vulnerability analysis and mitigation

The BlindMatrix e-Commerce WordPress plugin (versions before 3.1) was identified with a Local File Inclusion (LFI) vulnerability, tracked as CVE-2025-10406. The vulnerability was discovered by security researcher Khaled Alenazi and publicly disclosed on September 24, 2025. This security flaw affects the window-blinds-solution WordPress plugin, specifically impacting all versions up to and including 3.0 (WPScan, Rapid7).

The vulnerability stems from improper validation of shortcode attributes before they are used to generate paths passed to include functions. The CVSS score is rated at 5.5 (medium), and it is classified under CWE-22 and OWASP Top 10 category A1: Injection. A proof of concept exploit has been documented using the shortcode format: [BlindMatrix source="/etc/passwd"] (WPScan).

The vulnerability allows authenticated users with Contributor-level access or higher to perform Local File Inclusion attacks. This can lead to the inclusion and execution of arbitrary files on the server, potentially enabling attackers to bypass access controls, obtain sensitive data, or achieve code execution where 'safe' file types can be uploaded and included (Rapid7).

The vulnerability has been patched in version 3.1 of the BlindMatrix e-Commerce plugin. Users are advised to update to this version to mitigate the security risk (WPScan).