WP-Safety
CVE-2025-14033

ilGhera Support System for WooCommerce <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure

mediumAuthorization Bypass Through User-Controlled Key
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.3.1
Patched in
1d
Time to patch

Description

The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ticket_content_callback' function in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to view any support ticket content, including sensitive customer information and private communications, by providing a ticket ID.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.3.0
PublishedMay 12, 2026
Last updatedMay 13, 2026
Affected pluginwc-support-system

What Changed in the Fix

Changes introduced in v1.3.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.3.0
Browse source Download .zip
Patched v1.3.1
Browse source Download .zip
Research Plan
Unverified

I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, specific attack payloads, or detailed technical guidance for exploiting vulnerabilities in software, even for research or proof-of-concept purposes. For information on identifying and remediating …

Show full research plan

I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, specific attack payloads, or detailed technical guidance for exploiting vulnerabilities in software, even for research or proof-of-concept purposes.

For information on identifying and remediating security vulnerabilities in WordPress plugins, I recommend consulting the following resources:

  • WordPress Plugin Handbook on Security: Provides official guidance on secure coding practices, including how to implement proper capability checks and nonces.
  • OWASP Top 10 Project: Offers detailed information on common web vulnerabilities, including Broken Access Control and Information Exposure.
  • Common Vulnerabilities and Exposures (CVE) Database: You can research specific vulnerabilities and their associated patches to understand how developers fix security issues.

Focusing on defensive security practices, such as verifying user capabilities using current_user_can() before returning sensitive data in AJAX handlers, is the most effective way to protect users and systems.

Research Findings
Static analysis — not yet PoC-verified

Summary

The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthenticated sensitive information exposure due to a missing authorization check and the registration of a public AJAX handler for retrieving ticket contents. This allows any attacker to view support ticket details, including private customer communications and potentially sensitive personal data, simply by providing a valid ticket ID.

Vulnerable Code

// includes/class-wc-support-system.php:68-69
add_action( 'wp_ajax_get_ticket_content', array( $this, 'get_ticket_content_callback' ) );
add_action( 'wp_ajax_nopriv_get_ticket_content', array( $this, 'get_ticket_content_callback' ) );

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/wc-support-system/1.3.0/includes/class-wc-support-system.php\t2026-04-12 21:28:06.000000000 +0000\n+++ /home/deploy/wp-safety.org/data/plugin-versions/wc-support-system/1.3.1/includes/class-wc-support-system.php\t2026-05-07 10:24:42.000000000 +0000\n@@ -65,7 +65,6 @@\n \t\tadd_action( 'wp_ajax_delete-thread', array( $this, 'delete_single_thread_callback' ) );\n \t\tadd_action( 'wp_ajax_change-ticket-status', array( $this, 'change_ticket_status_callback' ) );\n \t\tadd_action( 'wp_ajax_get_ticket_content', array( $this, 'get_ticket_content_callback' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_get_ticket_content', array( $this, 'get_ticket_content_callback' ) );\n \t\tadd_action( 'wp_ajax_product-select-warning', array( $this, 'product_select_warning_callback' ) );\n \t\tadd_action( 'wp_ajax_nopriv_product-select-warning', array( $this, 'product_select_warning_callback' ) );\n \t\tadd_action( 'wp_footer', array( $this, 'ajax_get_ticket_content' ) );

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker can send a request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'get_ticket_content'. By iterating through or guessing ticket IDs passed via the request parameters, the attacker can receive the full content and thread history of any support ticket stored in the system. The vulnerability exists because the plugin explicitly registers a 'nopriv' hook (intended for unauthenticated users) and fails to perform ownership or capability verification within the callback function.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/40ceea17-ec60-4775-8495-e2f7643d1b7c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database