Cyber Resilience

CVE-2024-10625

Critical

Published: 09 November 2024

Published
09 November 2024
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4062 97.5th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10625 is a critical-severity Path Traversal (CWE-22) vulnerability in Vanquish Woocommerce Support Ticket System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion in all versions through 17.7. The flaw stems from insufficient path validation inside the delete_tmp_uploaded_file() function, which permits path traversal (CWE-22) and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can supply crafted file paths to the vulnerable function and delete any file readable by the web server. Successful deletion of critical files such as wp-config.php can disable the site or enable remote code execution by allowing subsequent database or configuration manipulation.

The Wordfence advisory and the Codecanyon plugin page indicate that the issue is resolved in versions newer than 17.7; administrators are advised to update immediately.

EPSS for the CVE rose from low values after disclosure to a peak of 0.5221 on 2025-12-18 before receding to the current 0.4062, indicating that exploitation interest increased measurably in the months following publication.

EU & UK References

Vulnerability details

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for unauthenticated attackers to…

more

delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vanquish
woocommerce support ticket system
≤ 17.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References