Platform
wordpress
Component
wc-designer-pro
Fixed in
1.9.29
CVE-2025-10897 describes an arbitrary file access vulnerability discovered in WooCommerce Designer Pro, a WordPress theme. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, posing a significant risk to sensitive data. The vulnerability affects versions 1.0.0 through 1.9.28, and a patch is available in version 1.9.31.
The primary impact of CVE-2025-10897 is the potential for unauthorized access to sensitive files on the server. An attacker could exploit this vulnerability to read files such as wp-config.php, which contains database credentials, allowing them to gain full control over the WordPress database. Successful exploitation could lead to data breaches, website defacement, and complete compromise of the WordPress installation. The lack of authentication required for exploitation significantly increases the attack surface and potential for widespread abuse.
CVE-2025-10897 was published on 2025-10-31. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the vulnerability's impact. The vulnerability's simplicity and the widespread use of WordPress themes make it a potential target for automated scanning and exploitation campaigns. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.21% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-10897 is to upgrade WooCommerce Designer Pro to version 1.9.31 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict file permissions on sensitive files like wp-config.php to prevent unauthorized access. Implement a Web Application Firewall (WAF) with rules to block attempts to access arbitrary files. Monitor WordPress logs for suspicious file access attempts. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via the vulnerable endpoint and verifying that access is denied.
Update to version 1.9.31, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10897 is a HIGH severity vulnerability allowing unauthenticated attackers to read arbitrary files on a WordPress server running WooCommerce Designer Pro versions 1.0.0–1.9.28, potentially exposing sensitive data.
You are affected if your WordPress site uses WooCommerce Designer Pro versions 1.0.0 through 1.9.28. Check your plugin versions and upgrade immediately if vulnerable.
Upgrade WooCommerce Designer Pro to version 1.9.31 or later to resolve the vulnerability. Implement temporary workarounds like restricting file permissions if immediate upgrading is not possible.
While active exploitation is not confirmed, the vulnerability's simplicity and impact make it a likely target for attackers. Monitor your systems closely.
Refer to the WooCommerce Designer Pro website or plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.