Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This issue affects WooCommerce Support Ticket System: from n/a through < 18.5.
Published: 2026-03-25
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to delete arbitrary files from the server by exploiting a path traversal flaw in the WooCommerce Support Ticket System plugin. This weakness, identified as CWE-22, can compromise file integrity and potentially lead to denial of service if critical system or plugin files are removed.

Affected Systems

The WooCommerce Support Ticket System plugin for WordPress, provided by vanquish, is affected in all releases prior to version 18.5. The flaw is present in every version from its introduction until the identified fix in 18.5.

Risk and Exploitability

The CVSS base score of 8.6 indicates high severity, while an EPSS score of less than 1% suggests a low but non-zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attacks are likely to target sites where users can trigger ticket deletion operations; based on the description, it is inferred that an attacker would need access to the plugin’s deletion functionality, which typically requires authenticated administrative access. If exploited, an attacker could delete arbitrary files, compromising the availability, confidentiality, or integrity of the WordPress installation.

Generated by OpenCVE AI on March 26, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Support Ticket System plugin to version 18.5 or newer
  • If upgrading is not immediately possible, restrict access to the plugin’s file deletion endpoint by blocking unauthenticated requests or applying appropriate role‑based access controls
  • If the file deletion feature is not critical to operations, consider disabling it entirely
  • Configure the web server or application firewall to reject path traversal attempts

Generated by OpenCVE AI on March 26, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Vanquish
Vanquish woocommerce Support Ticket System
Wordpress
Wordpress wordpress
Vendors & Products Vanquish
Vanquish woocommerce Support Ticket System
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This issue affects WooCommerce Support Ticket System: from n/a through < 18.5.
Title WordPress WooCommerce Support Ticket System plugin < 18.5 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Vanquish Woocommerce Support Ticket System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:40:21.583Z

Reserved: 2026-03-12T11:12:19.946Z

Link: CVE-2026-32522

cve-icon Vulnrichment

Updated: 2026-03-26T18:39:07.764Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:05.090

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:45Z

Weaknesses