CVE-2024-10625
Published: 09 November 2024
Summary
CVE-2024-10625 is a critical-severity Path Traversal (CWE-22) vulnerability in Vanquish Woocommerce Support Ticket System. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion in all versions through 17.7. The flaw stems from insufficient path validation inside the delete_tmp_uploaded_file() function, which permits path traversal (CWE-22) and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can supply crafted file paths to the vulnerable function and delete any file readable by the web server. Successful deletion of critical files such as wp-config.php can disable the site or enable remote code execution by allowing subsequent database or configuration manipulation.
The Wordfence advisory and the Codecanyon plugin page indicate that the issue is resolved in versions newer than 17.7; administrators are advised to update immediately.
EPSS for the CVE rose from low values after disclosure to a peak of 0.5221 on 2025-12-18 before receding to the current 0.4062, indicating that exploitation interest increased measurably in the months following publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33215
Vulnerability details
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for unauthenticated attackers to…
more
delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.