Unauthenticated File Deletion Vulnerability in WooCommerce Support Ticket System Plugin
CVE-2024-10625
9.8CRITICAL
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 November 2024
What is CVE-2024-10625?
The WooCommerce Support Ticket System plugin for WordPress contains a vulnerability in the delete_tmp_uploaded_file() function, affecting all versions up to 17.7. This weakness arises from inadequate validation of file paths, which allows unauthenticated attackers to delete arbitrary files from the server. Such an action poses a significant risk, as the deletion of crucial files—like wp-config.php—could facilitate remote code execution, enabling attackers to take control over the affected site.
Affected Version(s)
WooCommerce Support Ticket System 0 <= 17.6