Plattform
wordpress
Komponente
woocommerce-support-ticket-system
Behoben in
18.5.1
CVE-2026-32522 describes an Arbitrary File Access vulnerability within the WooCommerce Support Ticket System plugin. This vulnerability allows attackers to potentially read sensitive files from the server's file system. It impacts versions of the plugin prior to 18.5. A patch has been released by the vendor, version 18.5, to address this security concern.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files from the server's file system. This could expose sensitive information such as configuration files, database credentials, or even source code. A successful exploitation could lead to data breaches, compromise of the entire WordPress installation, and potential lateral movement within the network if the server has access to other resources. The impact is particularly severe if the server hosts sensitive data or is part of a critical infrastructure.
CVE-2026-32522 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) code has been widely reported, the nature of path traversal vulnerabilities makes it likely that one will emerge. The EPSS score is currently pending evaluation, but the HIGH CVSS score suggests a moderate probability of exploitation. Monitor security advisories and threat intelligence feeds for updates.
Websites utilizing the WooCommerce Support Ticket System plugin, particularly those running older, unpatched versions (prior to 18.5), are at risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable, as are WordPress installations with weak file permission configurations.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/woocommerce-support-ticket-system/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/woocommerce-support-ticket-system/../../../../etc/passwd' # Attempt path traversaldisclosure
Exploit-Status
EPSS
0.06% (20% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-32522 is to immediately upgrade the WooCommerce Support Ticket System plugin to version 18.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) rule to block suspicious file access attempts (e.g., requests containing directory traversal sequences like '../'), and closely monitoring server logs for unusual activity. After upgrading, verify the fix by attempting to access a non-public file via a web request; the request should be denied.
Update to version 18.5, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32522 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a server running versions of WooCommerce Support Ticket System before 18.5. It's a path traversal issue.
You are affected if you are using WooCommerce Support Ticket System version 18.5 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the WooCommerce Support Ticket System plugin to version 18.5 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file permissions or using a WAF.
There is currently no confirmed active exploitation of CVE-2026-32522, but the vulnerability's nature makes it a potential target.
Refer to the WooCommerce Support Ticket System plugin documentation and the WordPress security announcements for the official advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.