Primary

Context

WooCommerce Support Ticket System Missing Authorization Vulnerability Allows Arbitrary Post Deletion and Information Exposure

Vulnerability

A vulnerability exists in the WooCommerce Support Ticket System plugin for WordPress, in all versions through 17.8. The issue arises from inadequate capability checks in the 'ajax_delete_message', 'ajax_get_customers_partial_list', and 'ajax_get_admins_list' functions. This flaw enables authenticated attackers with Subscriber-level access or higher to delete any post and access the names, emails, and capabilities of all users.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of posts and exposure of user information, including names, emails, and capabilities.

Remediation

Users are advised to update the WooCommerce Support Ticket System plugin to version 17.9 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WooCommerce Support Ticket System Missing Authorization Vulnerability Allows Arbitrary Post Deletion and Information Exposure

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating