ilGhera Carta Docente for WooCommerce Path Traversal Vulnerability Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in the ilGhera Carta Docente for WooCommerce plugin for WordPress, affecting all versions through 1.5.0. The vulnerability arises from inadequate file path validation in the 'wccd-delete-certificate' AJAX action, specifically through the 'cert' parameter. This flaw enables authenticated attackers with Administrator-level access to delete arbitrary files on the server, such as 'wp-config.php', potentially leading to site takeover and remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server. Deleting critical files like 'wp-config.php' can lead to a complete takeover of the WordPress site, with an attacker gaining the ability to execute arbitrary code, especially if the deleted file is replaced with a malicious one.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can send a request to the 'wccd-delete-certificate' AJAX action. The request must include the 'cert' parameter, which can be manipulated to traverse the file system and target arbitrary files for deletion. The absence of proper path validation allows this exploitation to succeed.

Remediation

Users are advised to update the ilGhera Carta Docente for WooCommerce plugin to version 1.5.1 or later, where this vulnerability has been patched.