Platform
wordpress
Component
woocommerce-support-ticket-system
Fixed in
18.5.1
CVE-2026-32522 describes an Arbitrary File Access vulnerability within the WooCommerce Support Ticket System plugin. This vulnerability allows attackers to potentially read sensitive files from the server's file system. It impacts versions of the plugin prior to 18.5, and a patch has been released in version 18.5.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended web root directory. Successful exploitation could lead to the exposure of sensitive configuration files, database credentials, source code, or other confidential data. The potential impact extends beyond simple data disclosure; an attacker could potentially use this access to further compromise the WordPress installation, such as modifying core files or executing arbitrary code if the exposed files contain executable scripts. This vulnerability is particularly concerning given the widespread use of WordPress and WooCommerce plugins.
CVE-2026-32522 was publicly disclosed on 2026-03-25. There is currently no indication of active exploitation campaigns targeting this vulnerability, and it is not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the nature of path traversal vulnerabilities makes them relatively easy to develop. The vulnerability's severity warrants prompt remediation.
Exploit Status
EPSS
0.06% (20% percentile)
CVSS Vector
The primary mitigation for CVE-2026-32522 is to immediately upgrade the WooCommerce Support Ticket System plugin to version 18.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file permissions on sensitive directories to prevent unauthorized access, or using a Web Application Firewall (WAF) to block requests containing path traversal sequences (e.g., ../). Regularly review file permissions and access controls to ensure they are properly configured. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Update to version 18.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32522 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a server running versions of WooCommerce Support Ticket System before 18.5. It's a path traversal issue.
You are affected if you are using WooCommerce Support Ticket System version 18.5 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the WooCommerce Support Ticket System plugin to version 18.5 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file permissions or using a WAF.
There is currently no confirmed active exploitation of CVE-2026-32522, but the vulnerability's nature makes it a potential target.
Refer to the WooCommerce Support Ticket System plugin documentation and the WordPress security announcements for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.