Plattform
wordpress
Komponente
wc-designer-pro
Behoben in
1.9.29
CVE-2025-10897 describes an arbitrary file access vulnerability discovered in WooCommerce Designer Pro, a WordPress theme. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, posing a significant risk to sensitive data. The vulnerability affects versions 1.0.0 through 1.9.28, and a patch is available in version 1.9.31.
The primary impact of CVE-2025-10897 is the potential for unauthorized access to sensitive files on the server. An attacker could exploit this vulnerability to read files such as wp-config.php, which contains database credentials, allowing them to gain full control over the WordPress database. This could lead to data breaches, website defacement, and complete compromise of the WordPress installation. The ability to read arbitrary files also opens the door to discovering other sensitive information, such as API keys, configuration files, and source code, further expanding the attack surface.
CVE-2025-10897 was published on 2025-10-31. While no public exploits have been confirmed, the ease of exploitation and the potential for significant data exposure suggest a medium probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Websites using WooCommerce Designer Pro theme versions 1.0.0 through 1.9.28 are at direct risk. Shared hosting environments are particularly vulnerable, as attackers may be able to exploit the vulnerability on multiple websites hosted on the same server. WordPress installations with default configurations and weak file permissions are also at increased risk.
• wordpress / composer / npm:
grep -r "wp-content/plugins/woocommerce-designer-pro/includes/" /var/log/apache2/access.log• wordpress / composer / npm:
wp plugin list --status=inactive | grep woocommerce-designer-pro• wordpress / composer / npm:
wp plugin list | grep woocommerce-designer-prodisclosure
Exploit-Status
EPSS
0.21% (44% Perzentil)
CISA SSVC
CVSS-Vektor
The most effective mitigation for CVE-2025-10897 is to immediately upgrade WooCommerce Designer Pro to version 1.9.31 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file permissions on the web server to minimize the potential impact of a successful exploit. Implement a Web Application Firewall (WAF) with rules to block attempts to access sensitive files like wp-config.php. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Aktualisieren Sie auf Version 1.9.31 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-10897 is a HIGH severity vulnerability allowing unauthenticated attackers to read arbitrary files on a WordPress server running WooCommerce Designer Pro versions 1.0.0–1.9.28, potentially exposing sensitive data.
You are affected if your WordPress site uses WooCommerce Designer Pro versions 1.0.0 through 1.9.28. Check your plugin versions and upgrade immediately if vulnerable.
Upgrade WooCommerce Designer Pro to version 1.9.31 or later to resolve the vulnerability. Implement temporary workarounds like restricting file permissions if immediate upgrading is not possible.
While active exploitation is not confirmed, the vulnerability's simplicity and impact make it a likely target for attackers. Monitor your systems closely.
Refer to the WooCommerce Designer Pro website or plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.