Cyber Resilience

CVE-2024-10626

High

Published: 09 November 2024

Published
09 November 2024
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2448 96.2th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10626 is a high-severity Path Traversal (CWE-22) vulnerability in Vanquish Woocommerce Support Ticket System. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion in all versions through 17.7. The flaw stems from insufficient file path validation in the delete_uploaded_file() function, classified as CWE-22 path traversal, and carries a CVSS 3.1 score of 8.8.

Authenticated attackers with Subscriber-level access or higher can supply crafted paths to delete arbitrary files on the underlying server. Successful exploitation of files such as wp-config.php can readily result in remote code execution and full site compromise.

The EPSS score for this CVE reached a peak of 0.2739 on 2025-12-18 before receding to the current value of 0.2448. Vendor information is available via the Codecanyon product page, while detailed vulnerability analysis appears in the Wordfence threat intelligence entry.

EU & UK References

Vulnerability details

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for authenticated attackers, with…

more

Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vanquish
woocommerce support ticket system
≤ 17.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References