Описание
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status.
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-14034
- https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L1331
- https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L865
- https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L1331
- https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L865
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426161%40wc-support-system&new=3426161%40wc-support-system&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e74fb552-3ef4-47cd-8fe6-8cc1e74b8377?source=cve
Связанные уязвимости
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status.