ilGhera Support System for WooCommerce
Moderate fix1 remedy
cpe:2.3:a:ilghera:woocommerce_support_system:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.2.6
ilGhera Support System for WooCommerce Missing Authorization Vulnerability Allowing Arbitrary Ticket Deletion
Vulnerability
Patched
A vulnerability exists in the ilGhera Support System for WooCommerce plugin for WordPress, in versions through 1.2.6. The issue arises from a lack of proper capability checks in the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions. This flaw enables authenticated attackers with Subscriber-level access and above to delete any support tickets and alter their status, leading to unauthorized data modification and potential loss.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of support tickets and modification of their statuses.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site that includes the 'ticket_id' of the support ticket to be deleted. This request can be made through the WordPress admin interface, where the user can access the support tickets management page. Once the request is sent, the specified ticket will be deleted without any authorization check.
Remediation
Users are advised to update the ilGhera Support System for WooCommerce plugin to version 1.2.7 or later, where this vulnerability has been patched.
Added: Jan 6, 2026, 4:25 AM
Updated: Jan 6, 2026, 4:25 AM
Vulnerability Rating
Custom Algorithm
spread
1.6impact
0.6exploitability
6.4remediation
7.7relevance
1.9threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.