A high-severity vulnerability has been identified in the "Admin and Customer Messages After Order for WooCommerce: OrderConvo" WordPress plugin. This flaw allows an unauthenticated attacker to bypass security controls and download sensitive files from the web server, potentially exposing confidential information such as database credentials, user data, and system configuration files.

The vulnerability is a path traversal (also known as Directory Traversal) located in a file download function of the plugin. The application fails to properly validate or sanitize user-supplied input for a file path. An unauthenticated attacker can exploit this by crafting a malicious request with "dot-dot-slash" (../) sequences to navigate outside of the intended directory and access arbitrary files on the server's file system, limited only by the web server's user permissions.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach by allowing an attacker to read sensitive files such as wp-config.php (containing database credentials), /etc/passwd (listing system users), or other application source code and configuration files. This exposure could facilitate further attacks, leading to a full system compromise, unauthorized access to customer data, reputational damage, and potential non-compliance with data protection regulations.

Immediate Action: Immediately update the "Admin and Customer Messages After Order for WooCommerce: OrderConvo" plugin to version 14 or the latest available version, which contains the patch for this vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for requests containing path traversal sequences such as ../, ..%2f, or ..%5c targeting the affected plugin's endpoints. Implement file integrity monitoring to detect unauthorized access to critical system and configuration files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block path traversal attack patterns. Additionally, ensure the web server is hardened by enforcing strict file permissions, preventing the web server process from reading files outside of its root directory.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the fact that this vulnerability can be exploited by an unauthenticated attacker with low complexity, organizations are strongly advised to prioritize remediation. The potential for sensitive data exposure presents a significant risk. All instances of the affected plugin should be updated to the latest version immediately. If the plugin is no longer required, it should be removed as a best practice for attack surface reduction.