The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read.
PUBLISHED5.2CWE-22
WooCommerce Designer Pro <= 1.9.28 - Unauthenticated Arbitrary File Read
Problem type
Affected products
JMA Plugins
WooCommerce Designer Pro
<= 1.9.28 - AFFECTED
References
wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/3a47cdeb-bd05-4e7e-99dc-dca67064182a?source=cve
codecanyon.net
https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731
GitHub Security Advisories
GHSA-mw5m-g282-gj23
The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all...
https://github.com/advisories/GHSA-mw5m-g282-gj23The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2025-10897
codecanyon.net
https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731
wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/3a47cdeb-bd05-4e7e-99dc-dca67064182a?source=cve
github.com
https://github.com/advisories/GHSA-mw5m-g282-gj23
JSON source
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-10897",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"dateUpdated": "2025-10-31T17:18:59.208Z",
"dateReserved": "2025-09-23T18:52:28.625Z",
"datePublished": "2025-10-31T07:26:39.837Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2025-10-31T07:26:39.837Z"
},
"title": "WooCommerce Designer Pro <= 1.9.28 - Unauthenticated Arbitrary File Read",
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read."
}
],
"affected": [
{
"vendor": "JMA Plugins",
"product": "WooCommerce Designer Pro",
"defaultStatus": "unaffected",
"versions": [
{
"version": "*",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "1.9.28"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a47cdeb-bd05-4e7e-99dc-dca67064182a?source=cve"
},
{
"url": "https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731"
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"baseScore": 8.6,
"baseSeverity": "HIGH"
}
}
],
"timeline": [
{
"time": "2025-09-23T00:00:00.000+00:00",
"lang": "en",
"value": "Discovered"
},
{
"time": "2025-10-30T19:12:08.000+00:00",
"lang": "en",
"value": "Disclosed"
}
],
"credits": [
{
"lang": "en",
"value": "István Márton",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-10-31T17:18:59.208Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}