CVE-2025-10162 is a path traversal vulnerability classified under CWE-22 found in the WordPress plugin 'Admin and Customer Messages After Order for WooCommerce: OrderConvo' prior to version 14. The vulnerability arises because the plugin fails to properly validate and restrict file paths when handling file download requests. This improper limitation allows an unauthenticated attacker to manipulate the file path parameter to access arbitrary files on the server outside the intended directory. Exploiting this flaw does not require authentication or user interaction, making it accessible to remote attackers scanning for vulnerable sites. The attacker can potentially read sensitive files such as configuration files, database credentials, or other critical data stored on the web server, which can lead to further compromise or data leakage. Although no public exploits have been reported yet, the vulnerability's characteristics make it a high-risk issue for websites using this plugin, especially those handling sensitive customer or order information. The plugin is commonly used in WooCommerce environments, which are popular in e-commerce platforms worldwide, including Europe. The lack of a CVSS score requires an assessment based on impact and exploitability, which indicates a high severity due to the direct impact on confidentiality and ease of exploitation. No official patches or updates are linked yet, so users should monitor for updates or apply temporary mitigations.

For European organizations, this vulnerability poses a significant risk to the confidentiality of customer and business data. Exploitation could lead to unauthorized disclosure of sensitive files, including customer order details, payment information, or internal configuration files, potentially resulting in data breaches and regulatory non-compliance under GDPR. The exposure of sensitive information could also facilitate further attacks such as privilege escalation, website defacement, or ransomware deployment. E-commerce businesses relying on WooCommerce and this plugin may suffer reputational damage, financial losses, and operational disruptions. Given the unauthenticated nature of the exploit, attackers can target vulnerable sites at scale, increasing the threat landscape for European online retailers and service providers. The impact on integrity and availability is limited but could be secondary if attackers leverage disclosed information for further attacks.

European organizations should immediately verify if they use the vulnerable versions of the 'Admin and Customer Messages After Order for WooCommerce: OrderConvo' plugin. Since no official patch is currently available, temporary mitigations include restricting access to the plugin's file download functionality via web server configuration (e.g., IP whitelisting, authentication requirements) or disabling the plugin if feasible. Implementing Web Application Firewall (WAF) rules to detect and block path traversal patterns in HTTP requests can reduce exploitation risk. Regularly monitor security advisories from the plugin developer and WPScan for updates or patches. Conduct thorough audits of server file permissions to minimize sensitive file exposure. Additionally, logging and alerting on suspicious file access attempts can help detect exploitation attempts early. Organizations should also ensure that backups and incident response plans are up to date in case of compromise.