CVE-2024-10626
Published: 09 November 2024
Summary
CVE-2024-10626 is a high-severity Path Traversal (CWE-22) vulnerability in Vanquish Woocommerce Support Ticket System. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion in all versions through 17.7. The flaw stems from insufficient file path validation in the delete_uploaded_file() function, classified as CWE-22 path traversal, and carries a CVSS 3.1 score of 8.8.
Authenticated attackers with Subscriber-level access or higher can supply crafted paths to delete arbitrary files on the underlying server. Successful exploitation of files such as wp-config.php can readily result in remote code execution and full site compromise.
The EPSS score for this CVE reached a peak of 0.2739 on 2025-12-18 before receding to the current value of 0.2448. Vendor information is available via the Codecanyon product page, while detailed vulnerability analysis appears in the Wordfence threat intelligence entry.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33216
Vulnerability details
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for authenticated attackers, with…
more
Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.