CVE-2024-10625

Name of the Vulnerable Software and Affected Versions WooCommerce Support Ticket System plugin for WordPress versions up to, and including, 17.7

Description The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete tmp uploaded file() function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted, such as wp-config.php.

Recommendations Update to a version later than 17.7 to resolve the issue. As a temporary workaround, consider restricting access to the delete tmp uploaded file() function until a patch is available.