Path Traversal in Blindmatrix E-commerce

CVE-2025-10406

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI att…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.002 (15.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N.

Affected products

  • Unknown Blindmatrix E-commerce — versions 0

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2025-10406?
CVE-2025-10406 is a medium-severity vulnerability in Blindmatrix E-commerce, classified under Path Traversal. CVSS score: 5.5/10. Published 2025-10-15.
How severe is CVE-2025-10406?
Medium severity. CVSS v3 base score is 5.5 out of 10.