The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
References
Link | Resource |
---|---|
https://codecanyon.net/item/woocommerce-support-ticket-system/17930050 | Product |
https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb2c829-579f-41e2-ad5f-8e4fc125d980?source=cve | Third Party Advisory |
Configurations
History
28 May 2025, 20:48
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vanquish:woocommerce_support_ticket_system:*:*:*:*:*:wordpress:*:* | |
First Time |
Vanquish woocommerce Support Ticket System
Vanquish |
|
References | () https://codecanyon.net/item/woocommerce-support-ticket-system/17930050 - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb2c829-579f-41e2-ad5f-8e4fc125d980?source=cve - Third Party Advisory |
12 Nov 2024, 13:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
09 Nov 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-11-09 04:15
Updated : 2025-05-28 20:48
NVD link : CVE-2024-10626
Mitre link : CVE-2024-10626
CVE.ORG link : CVE-2024-10626
JSON object : View
Products Affected
vanquish
- woocommerce_support_ticket_system
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')