Path Traversal Vulnerability in ilGhera Carta Docente for WooCommerce
CVE-2026-2421

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Ilghera Carta Docente For WooCommerce
Vendor
CVE Published:
20 March 2026

What is CVE-2026-2421?

The ilGhera Carta Docente for WooCommerce plugin is susceptible to a path traversal vulnerability in all versions up to and including 1.5.0. This security flaw arises from inadequate validation of file paths during the execution of the 'wccd-delete-certificate' AJAX action, specifically through the 'cert' parameter. As a result, authenticated attackers with Administrator-level access can exploit this vulnerability to delete arbitrary files on the server. Such deletions could include sensitive files like wp-config.php, potentially leading to full site compromise and remote code execution risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ilGhera Carta Docente for WooCommerce * <= 1.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wc-carta-docen...
https://plugins.trac.wordpress.org/browser/wc-carta-docen...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Abhirup Konwar
JSON
.