CVE-2026-2421
Received Received - Intake
Path Traversal in WooCommerce ilGhera Carta Docente Plugin Enables File Deletion

Publication date: 2026-03-20

Last updated on: 2026-03-20

Assigner: Wordfence

Description
The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2421
EUVD
EUVD-2026-13636
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ilghera carta_docente_for_woocommerce to 1.5.0 (inc)
ilghera carta_docente_for_woocommerce 1.4.7
ilghera carta_docente_for_woocommerce 1.4.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2421 is a vulnerability in the ilGhera Carta Docente for WooCommerce WordPress plugin, affecting all versions up to and including 1.5.0. It is a Path Traversal vulnerability triggered via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. The root cause is insufficient validation of file paths before deleting files.

This flaw allows authenticated users with Administrator-level access or higher to delete arbitrary files on the server. For example, an attacker could delete critical files like wp-config.php, which can lead to site takeover and remote code execution.

Impact Analysis

The vulnerability can have severe impacts including unauthorized deletion of important server files by an attacker with administrator privileges.

  • Deletion of critical files such as wp-config.php, which contains database credentials and configuration.
  • Potential site takeover due to loss or manipulation of essential files.
  • Remote code execution, allowing attackers to run arbitrary code on the server.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves an authenticated attacker with Administrator-level access exploiting the 'cert' parameter of the 'wccd-delete-certificate' AJAX action to perform path traversal and delete arbitrary files on the server."}, {'type': 'paragraph', 'content': "Detection can focus on monitoring for suspicious AJAX requests to the 'wccd-delete-certificate' action, especially those containing unusual or unexpected file paths in the 'cert' parameter."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated Administrator access, reviewing WordPress logs for unusual administrator activity or unexpected certificate deletion attempts is recommended.'}, {'type': 'paragraph', 'content': 'Suggested commands or methods to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Check web server access logs for POST requests to admin-ajax.php with the action=wccd-delete-certificate parameter.'}, {'type': 'list_item', 'content': "Use grep or similar tools to search for suspicious 'cert' parameter values that include path traversal patterns (e.g., '../')."}, {'type': 'list_item', 'content': 'Example command to search Apache or Nginx logs for suspicious requests:'}, {'type': 'list_item', 'content': "grep 'action=wccd-delete-certificate' /var/log/apache2/access.log | grep '\\.\\./'"}, {'type': 'list_item', 'content': 'Monitor WordPress audit or activity logs for administrator actions involving certificate deletion.'}, {'type': 'list_item', 'content': 'Check for unexpected deletion or modification of critical files such as wp-config.php on the server.'}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Update the ilGhera Carta Docente for WooCommerce plugin to a version later than 1.5.0 where the vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Restrict Administrator-level access to trusted users only, as exploitation requires authenticated Administrator privileges.'}, {'type': 'list_item', 'content': "Implement monitoring and alerting for suspicious AJAX requests targeting the 'wccd-delete-certificate' action."}, {'type': 'list_item', 'content': 'Review and harden file permissions on the server to prevent unauthorized file deletions.'}, {'type': 'list_item', 'content': 'If immediate update is not possible, consider disabling or restricting access to the vulnerable AJAX action via firewall rules or plugin configuration.'}, {'type': 'list_item', 'content': 'Regularly back up critical files such as wp-config.php to enable recovery in case of file deletion.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2421. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart