CVE-2024-10626

Name of the Vulnerable Software and Affected Versions WooCommerce Support Ticket System plugin for WordPress versions up to, and including, 17.7

Description The issue is related to arbitrary file deletion due to insufficient file path validation in the delete uploaded file() function. This allows authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server, potentially leading to remote code execution if critical files like wp-config.php are deleted.

Recommendations For versions up to, and including, 17.7, update to a version that fixes the delete uploaded file() function issue to prevent arbitrary file deletion. As a temporary workaround, consider disabling the delete uploaded file() function until a patch is available to minimize the risk of exploitation.