Scan free
CRITICALCVE-2024-10625CVSS 9.8

CVE-2024-10625: Arbitrary File Access in WooCommerce Support Ticket System

Platform

wordpress

Component

woocommerce-support-ticket-system

Fixed in

17.6.1

AI Confidence: highNVDEPSS 40.6%Reviewed: May 2026
View on NVD
Save

CVE-2024-10625 represents a critical security vulnerability affecting the WooCommerce Support Ticket System plugin for WordPress. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The issue stems from insufficient file path validation within the plugin and impacts versions up to and including 17.7. A patch is available, and immediate action is recommended.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of CVE-2024-10625 is severe due to the potential for remote code execution. An attacker exploiting this vulnerability could delete critical WordPress configuration files, such as wp-config.php, effectively gaining control of the entire WordPress installation. This could lead to data breaches, website defacement, malware injection, and complete compromise of the server. The ease of exploitation, requiring no authentication, significantly increases the risk. Deletion of other sensitive files could also expose database credentials or other confidential information.

Exploitation Context

CVE-2024-10625 was publicly disclosed on November 9, 2024. While no active exploitation campaigns have been definitively confirmed, the vulnerability's ease of exploitation and critical severity make it a high-priority target. The potential for RCE elevates this vulnerability to a significant risk. Public proof-of-concept exploits are likely to emerge, further increasing the risk of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

40.62% (97% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwoocommerce-support-ticket-system
Vendorvanquish
Affected rangeFixed in
* – 17.617.6.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 561 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-10625 is to immediately upgrade the WooCommerce Support Ticket System plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting file uploads and deleting any temporary upload directories. Implement strict file permissions on the WordPress installation to limit the impact of a successful file deletion. Monitor WordPress logs for suspicious file deletion activity. After upgrading, confirm the fix by attempting a file deletion request through a vulnerable endpoint and verifying that the request is denied.

How to fix

Update the WooCommerce Support Ticket System plugin to the latest available version. The vulnerability allows for arbitrary file deletion, which could compromise the security of the website.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-10625 — Arbitrary File Access in WooCommerce Support Ticket System?

CVE-2024-10625 is a critical vulnerability in the WooCommerce Support Ticket System plugin allowing unauthenticated attackers to delete arbitrary files, potentially leading to remote code execution.

Am I affected by CVE-2024-10625 in WooCommerce Support Ticket System?

If you are using WooCommerce Support Ticket System version 17.6 or earlier, you are affected by this vulnerability and should upgrade immediately.

How do I fix CVE-2024-10625 in WooCommerce Support Ticket System?

Upgrade the WooCommerce Support Ticket System plugin to the latest version that addresses the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads.

Is CVE-2024-10625 being actively exploited?

While no confirmed active exploitation campaigns have been reported, the vulnerability's severity and ease of exploitation make it a high-priority target, and exploitation is likely.

Where can I find the official WooCommerce advisory for CVE-2024-10625?

Refer to the WooCommerce security advisory for detailed information and updates: [https://woocommerce.com/security/](https://woocommerce.com/security/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs