Description
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status.
Published: 2026-01-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary deletion and status modification of support tickets
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows authenticated users, including those with the minimum Subscriber privilege and higher, to delete or change the status of any support ticket managed by the ilGhera Support System for WooCommerce plugin. An attacker who can authenticate to the site can thus erase historical ticket data or alter the progress of existing tickets, potentially causing loss of record, loss of service continuity, and confusion for both customers and staff. The weakness is a missing capability check on functions that handle ticket deletion and status changes, identified as CWE‑862.

Affected Systems

The affected vendor is ghera74, product "ilGhera Support System for WooCommerce". All releases up to and including version 1.2.6 are vulnerable; newer releases beyond 1.2.6 are presumed to have fixed the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability that this exploit will be seen in the wild. The vulnerability is not listed in the CISA KEV catalog. The exploit requires authentication, typically achieved by any WordPress user with Subscriber or higher roles. An attacker can use the exposed administrative endpoints (e.g., /wp-admin/admin-ajax.php?action=delete_single_ticket_callback) to invoke the deletion or status change actions without the necessary capability checks. Because the vulnerability exists only on authenticated sessions, perimeter defenses alone do not mitigate it; insider risk or accidental privilege abuse is a primary concern.

Generated by OpenCVE AI on April 20, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ilGhera Support System for WooCommerce plugin to the latest version (≥1.2.7) which includes the missing capability checks.
  • If an upgrade is not immediately possible, restrict the Subscriber role (and any roles below Administrator) from accessing the ticket deletion and status change endpoints by removing the corresponding capabilities or overriding the plugin’s role definitions.
  • Enable audit logging for ticket deletions and status changes and regularly review the logs for unauthorized activity.

Generated by OpenCVE AI on April 20, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Ilghera
Ilghera woocommerce Support System
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Ilghera
Ilghera woocommerce Support System
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status.
Title ilGhera Support System for WooCommerce <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Ilghera Woocommerce Support System
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:21.336Z

Reserved: 2025-12-04T15:03:56.626Z

Link: CVE-2025-14034

cve-icon Vulnrichment

Updated: 2026-01-06T15:00:43.716Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T04:15:53.057

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses