CVE-2026-2421
Path Traversal in WooCommerce ilGhera Carta Docente Plugin Enables File Deletion
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ilghera | carta_docente_for_woocommerce | to 1.5.0 (inc) |
| ilghera | carta_docente_for_woocommerce | 1.4.7 |
| ilghera | carta_docente_for_woocommerce | 1.4.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2421 is a vulnerability in the ilGhera Carta Docente for WooCommerce WordPress plugin, affecting all versions up to and including 1.5.0. It is a Path Traversal vulnerability triggered via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. The root cause is insufficient validation of file paths before deleting files.
This flaw allows authenticated users with Administrator-level access or higher to delete arbitrary files on the server. For example, an attacker could delete critical files like wp-config.php, which can lead to site takeover and remote code execution.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including unauthorized deletion of important server files by an attacker with administrator privileges.
- Deletion of critical files such as wp-config.php, which contains database credentials and configuration.
- Potential site takeover due to loss or manipulation of essential files.
- Remote code execution, allowing attackers to run arbitrary code on the server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves an authenticated attacker with Administrator-level access exploiting the 'cert' parameter of the 'wccd-delete-certificate' AJAX action to perform path traversal and delete arbitrary files on the server."}, {'type': 'paragraph', 'content': "Detection can focus on monitoring for suspicious AJAX requests to the 'wccd-delete-certificate' action, especially those containing unusual or unexpected file paths in the 'cert' parameter."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated Administrator access, reviewing WordPress logs for unusual administrator activity or unexpected certificate deletion attempts is recommended.'}, {'type': 'paragraph', 'content': 'Suggested commands or methods to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Check web server access logs for POST requests to admin-ajax.php with the action=wccd-delete-certificate parameter.'}, {'type': 'list_item', 'content': "Use grep or similar tools to search for suspicious 'cert' parameter values that include path traversal patterns (e.g., '../')."}, {'type': 'list_item', 'content': 'Example command to search Apache or Nginx logs for suspicious requests:'}, {'type': 'list_item', 'content': "grep 'action=wccd-delete-certificate' /var/log/apache2/access.log | grep '\\.\\./'"}, {'type': 'list_item', 'content': 'Monitor WordPress audit or activity logs for administrator actions involving certificate deletion.'}, {'type': 'list_item', 'content': 'Check for unexpected deletion or modification of critical files such as wp-config.php on the server.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Update the ilGhera Carta Docente for WooCommerce plugin to a version later than 1.5.0 where the vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Restrict Administrator-level access to trusted users only, as exploitation requires authenticated Administrator privileges.'}, {'type': 'list_item', 'content': "Implement monitoring and alerting for suspicious AJAX requests targeting the 'wccd-delete-certificate' action."}, {'type': 'list_item', 'content': 'Review and harden file permissions on the server to prevent unauthorized file deletions.'}, {'type': 'list_item', 'content': 'If immediate update is not possible, consider disabling or restricting access to the vulnerable AJAX action via firewall rules or plugin configuration.'}, {'type': 'list_item', 'content': 'Regularly back up critical files such as wp-config.php to enable recovery in case of file deletion.'}] [1, 3]