CVE-2026-32522
Path Traversal in WooCommerce Support Ticket System Allows Data Access
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vanquish | woocommerce_support_ticket_system | to 18.5 (exc) |
| patchstack | woocommerce_support_ticket_system | to 18.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32522 is a high-priority Arbitrary File Deletion vulnerability in the WordPress WooCommerce Support Ticket System Plugin versions prior to 18.5.
This vulnerability allows unauthenticated attackers to delete files on the affected website by exploiting a Path Traversal flaw, which means they can access and remove files outside the intended restricted directories.
No special privileges are required to exploit this vulnerability, making it particularly dangerous.
The issue falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to the deletion of core files on your website, potentially causing the site to break or cease functioning.
Because the attack requires no authentication, it can be carried out by anyone, increasing the risk of widespread damage.
Such vulnerabilities are often exploited in mass campaigns targeting thousands of websites indiscriminately.
Immediate action, such as updating the plugin to version 18.5 or later, is recommended to prevent exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability allows unauthenticated attackers to delete files on the affected website, which may cause site malfunction or breakage.
Detection can involve monitoring for unusual file deletion activities or unexpected site behavior related to missing core files.
Patchstack provides an automatic mitigation rule that blocks attacks targeting this vulnerability, which can also help detect exploitation attempts.
No specific commands are provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate step is to update the WooCommerce Support Ticket System Plugin to version 18.5 or later, where the vulnerability has been patched.
Until the update can be applied, users of Patchstack can enable the automatic mitigation rule that blocks attacks targeting this vulnerability.
Enabling auto-updates specifically for vulnerable plugins is recommended to ensure rapid protection.
If unable to update immediately, seek assistance from hosting providers or web developers to help prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-32522 allows unauthenticated attackers to delete arbitrary files on affected websites, which can lead to disruption of services and potential loss of data integrity.
Such unauthorized file deletion and potential data loss or service disruption could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of data integrity, availability, and confidentiality.
However, the provided information does not explicitly detail the direct impact on these compliance frameworks.