{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32522", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:19.946Z", "datePublished": "2026-03-25T16:15:07.516Z", "dateUpdated": "2026-04-29T09:52:01.063Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "woocommerce-support-ticket-system", "product": "WooCommerce Support Ticket System", "vendor": "vanquish", "versions": [{"changes": [{"at": "18.5", "status": "unaffected"}], "lessThanOrEqual": "< 18.5", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:41.922Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.<p>This issue affects WooCommerce Support Ticket System: from n/a through < 18.5.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This issue affects WooCommerce Support Ticket System: from n/a through < 18.5."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.063Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-support-ticket-system/vulnerability/wordpress-woocommerce-support-ticket-system-plugin-18-5-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress WooCommerce Support Ticket System plugin < 18.5 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:39:58.462160Z", "id": "CVE-2026-32522", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:40:21.583Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32522", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:39:58.462160Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:39:07.764Z"}}], "cna": {"title": "WordPress WooCommerce Support Ticket System plugin < 18.5 - Arbitrary File Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "vanquish", "product": "WooCommerce Support Ticket System", "versions": [{"status": "affected", "changes": [{"at": "18.5", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 18.5"}], "packageName": "woocommerce-support-ticket-system", "collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:41.922Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-support-ticket-system/vulnerability/wordpress-woocommerce-support-ticket-system-plugin-18-5-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This issue affects WooCommerce Support Ticket System: from n/a through < 18.5.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.<p>This issue affects WooCommerce Support Ticket System: from n/a through < 18.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.063Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32522", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:52:01.063Z", "dateReserved": "2026-03-12T11:12:19.946Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:07.516Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This issue affects WooCommerce Support Ticket System: from n/a through < 18.5."}, {"lang": "es", "value": "Vulnerabilidad de Limitaci\u00f3n Incorrecta de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') en vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system permite Salto de Ruta. Este problema afecta a WooCommerce Support Ticket System: desde n/a hasta &lt; 18.5."}], "id": "CVE-2026-32522", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:05.090", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-support-ticket-system/vulnerability/wordpress-woocommerce-support-ticket-system-plugin-18-5-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,18.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[18.5,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WooCommerce Support Ticket System", "source": "cna", "vendor": "vanquish"}, "product": "woocommerce_support_ticket_system", "vendor": "vanquish"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T21:06:00.601542+00:00", "value": {"mitigation_remediation": ["Upgrade the WooCommerce Support Ticket System plugin to version 18.5 or newer", "If upgrading is not immediately possible, restrict access to the plugin\u2019s file deletion endpoint by blocking unauthenticated requests or applying appropriate role\u2011based access controls", "If the file deletion feature is not critical to operations, consider disabling it entirely", "Configure the web server or application firewall to reject path traversal attempts"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "The WooCommerce Support Ticket System plugin for WordPress, provided by vanquish, is affected in all releases prior to version 18.5. The flaw is present in every version from its introduction until the identified fix in 18.5.", "description_and_impact": "The vulnerability allows an attacker to delete arbitrary files from the server by exploiting a path traversal flaw in the WooCommerce Support Ticket System plugin. This weakness, identified as CWE-22, can compromise file integrity and potentially lead to denial of service if critical system or plugin files are removed.", "risk_and_exploitability": "The CVSS base score of 8.6 indicates high severity, while an EPSS score of less than 1% suggests a low but non-zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attacks are likely to target sites where users can trigger ticket deletion operations; based on the description, it is inferred that an attacker would need access to the plugin\u2019s deletion functionality, which typically requires authenticated administrative access. If exploited, an attacker could delete arbitrary files, compromising the availability, confidentiality, or integrity of the WordPress installation."}}}}, "created": "2026-03-25T21:47:17.971686+00:00", "updated": "2026-03-27T09:30:45.010524+00:00", "vendors": ["vanquish", "vanquish$PRODUCT$woocommerce_support_ticket_system", "wordpress", "wordpress$PRODUCT$wordpress"]}