Scan free
Pending AnalysisCVE-2025-14033

CVE-2025-14033: Unauthorized Access in ilGhera Support System

Platform

wordpress

Component

wc-support-system

Fixed in

1.3.1

View on NVD
Save

CVE-2025-14033 is a medium-severity vulnerability affecting the ilGhera Support System for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to access sensitive support ticket content, potentially exposing customer information and private communications. The vulnerability impacts versions 0 through 1.3.0 of the plugin, and a fix is available in version 1.3.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of CVE-2025-14033 is the unauthorized disclosure of sensitive data. An attacker can simply provide a valid ticket ID to view the complete content of any support ticket, regardless of authentication status. This includes customer names, email addresses, support requests, and any internal communications related to the ticket. The blast radius extends to any customer who has submitted a support ticket through the affected plugin. This vulnerability could lead to reputational damage, regulatory fines (e.g., GDPR), and potential legal action if customer data is compromised.

Exploitation Context

As of the publication date, there is no public evidence of CVE-2025-14033 being actively exploited in the wild. The vulnerability is not listed on KEV or EPSS. The CVSS score of 5.3 indicates a medium probability of exploitation. Monitor WordPress security forums and vulnerability databases for any updates regarding exploitation attempts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentwc-support-system
Vendorwordfence
Minimum version0
Maximum version1.3.0
Fixed in1.3.1

Weakness Classification (CWE)

CWE-639

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2025-14033 is to immediately upgrade the ilGhera Support System for WooCommerce plugin to version 1.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent unauthorized access. While a direct workaround is not available, carefully review all plugin configurations and ensure that access controls are as restrictive as possible. After upgrading, verify the fix by attempting to access a support ticket without authentication; access should be denied.

How to fix

Update to version 1.3.1, or a newer patched version

Frequently asked questions

What is CVE-2025-14033 — Unauthorized Access in ilGhera Support System?

CVE-2025-14033 is a medium-severity vulnerability in the ilGhera Support System for WooCommerce plugin for WordPress. It allows unauthenticated attackers to view support ticket content, potentially exposing sensitive customer data.

Am I affected by CVE-2025-14033 in ilGhera Support System?

You are affected if your WordPress site uses the ilGhera Support System for WooCommerce plugin in versions 0 through 1.3.0. Upgrade to 1.3.1 or later to mitigate the risk.

How do I fix CVE-2025-14033 in ilGhera Support System?

Upgrade the ilGhera Support System for WooCommerce plugin to version 1.3.1 or later. If immediate upgrade is not possible, temporarily disable the plugin.

Is CVE-2025-14033 being actively exploited?

There is currently no public evidence of CVE-2025-14033 being actively exploited, but the medium CVSS score suggests a potential risk.

Where can I find the official ilGhera Support System advisory for CVE-2025-14033?

Refer to the official ilGhera Support System website and WordPress plugin repository for updates and advisories related to CVE-2025-14033.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free
livefree scan

Scan your WordPress project now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...