{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14034", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T15:03:56.626Z", "datePublished": "2026-01-06T03:21:40.731Z", "dateUpdated": "2026-04-08T17:30:21.336Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:21.336Z"}, "affected": [{"vendor": "ghera74", "product": "ilGhera Support System for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status."}], "title": "ilGhera Support System for WooCommerce <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e74fb552-3ef4-47cd-8fe6-8cc1e74b8377?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L1331"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L1331"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L865"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L865"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426161%40wc-support-system&new=3426161%40wc-support-system&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-12T18:27:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-05T15:05:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T15:00:33.815916Z", "id": "CVE-2025-14034", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:00:50.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T15:00:33.815916Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:00:43.716Z"}}], "cna": {"title": "ilGhera Support System for WooCommerce <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ghera74", "product": "ilGhera Support System for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T18:27:32.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-05T15:05:40.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e74fb552-3ef4-47cd-8fe6-8cc1e74b8377?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L1331"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L1331"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L865"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L865"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426161%40wc-support-system&new=3426161%40wc-support-system&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-06T03:21:40.731Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14034", "state": "PUBLISHED", "dateUpdated": "2026-01-06T15:00:50.502Z", "dateReserved": "2025-12-04T15:03:56.626Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T03:21:40.731Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status."}, {"lang": "es", "value": "El plugin ilGhera Support System para WooCommerce para WordPress es vulnerable a la modificaci\u00f3n no autorizada y la p\u00e9rdida de datos debido a una verificaci\u00f3n de capacidad faltante en las funciones 'delete_single_ticket_callback' y 'change_ticket_status_callback' en todas las versiones hasta la 1.2.6, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, eliminen tickets de soporte arbitrarios y modifiquen su estado."}], "id": "CVE-2025-14034", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-06T04:15:53.057", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L1331"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L865"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L1331"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L865"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426161%40wc-support-system&new=3426161%40wc-support-system&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e74fb552-3ef4-47cd-8fe6-8cc1e74b8377?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:18:47.183928+00:00", "value": {"mitigation_remediation": ["Upgrade the ilGhera Support System for WooCommerce plugin to the latest version (\u22651.2.7) which includes the missing capability checks.", "If an upgrade is not immediately possible, restrict the Subscriber role (and any roles below Administrator) from accessing the ticket deletion and status change endpoints by removing the corresponding capabilities or overriding the plugin\u2019s role definitions.", "Enable audit logging for ticket deletions and status changes and regularly review the logs for unauthorized activity."], "summary": {"action": "Apply Patch", "impact": "Arbitrary deletion and status modification of support tickets"}, "threat_synthesis": {"affected_systems": "The affected vendor is ghera74, product \"ilGhera Support System for WooCommerce\". All releases up to and including version 1.2.6 are vulnerable; newer releases beyond 1.2.6 are presumed to have fixed the issue.", "description_and_impact": "This vulnerability allows authenticated users, including those with the minimum Subscriber privilege and higher, to delete or change the status of any support ticket managed by the ilGhera Support System for WooCommerce plugin. An attacker who can authenticate to the site can thus erase historical ticket data or alter the progress of existing tickets, potentially causing loss of record, loss of service continuity, and confusion for both customers and staff. The weakness is a missing capability check on functions that handle ticket deletion and status changes, identified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability that this exploit will be seen in the wild. The vulnerability is not listed in the CISA KEV catalog. The exploit requires authentication, typically achieved by any WordPress user with Subscriber or higher roles. An attacker can use the exposed administrative endpoints (e.g., /wp-admin/admin-ajax.php?action=delete_single_ticket_callback) to invoke the deletion or status change actions without the necessary capability checks. Because the vulnerability exists only on authenticated sessions, perimeter defenses alone do not mitigate it; insider risk or accidental privilege abuse is a primary concern."}}}}, "created": "2026-01-06T14:15:55.448401+00:00", "updated": "2026-04-20T21:30:18.566989+00:00", "vendors": ["ilghera", "ilghera$PRODUCT$woocommerce_support_system", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}