CVE-2025-10897
Published: 31 October 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2025-10897 is an arbitrary file read vulnerability (CWE-22) in the WooCommerce Designer Pro theme for WordPress, affecting all versions up to and including 1.9.28. Published on 2025-10-31, it enables attackers to access arbitrary files on the server, such as wp-config.php, potentially exposing database credentials and other sensitive configuration data. The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By leveraging the flaw, they achieve high-impact confidentiality breaches, reading any server file accessible to the web server process, which could lead to full site compromise through credential theft or further privilege escalation.
Advisories reference the WooCommerce Designer Pro theme product page on Codecanyon and Wordfence threat intelligence detailing the vulnerability (ID: 3a47cdeb-bd05-4e7e-99dc-dca67064182a). Security practitioners should consult these sources for patching guidance, as no specific mitigation steps are outlined in the core CVE details.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file read in public-facing WordPress theme enables T1190 (exploit public-facing app). Directly facilitates reading local files for T1005 (data from local system) and exposes credentials in files like wp-config.php for T1552.001.