CVE-2026-32522
Received Received - Intake
Path Traversal in WooCommerce Support Ticket System Allows Data Access

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This issue affects WooCommerce Support Ticket System: from n/a through < 18.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32522
EUVD
EUVD-2026-15886
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vanquish woocommerce_support_ticket_system to 18.5 (exc)
patchstack woocommerce_support_ticket_system to 18.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability CVE-2026-32522 allows unauthenticated attackers to delete arbitrary files on affected websites, which can lead to disruption of services and potential loss of data integrity.

Such unauthorized file deletion and potential data loss or service disruption could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of data integrity, availability, and confidentiality.

However, the provided information does not explicitly detail the direct impact on these compliance frameworks.

Executive Summary

CVE-2026-32522 is a high-priority Arbitrary File Deletion vulnerability in the WordPress WooCommerce Support Ticket System Plugin versions prior to 18.5.

This vulnerability allows unauthenticated attackers to delete files on the affected website by exploiting a Path Traversal flaw, which means they can access and remove files outside the intended restricted directories.

No special privileges are required to exploit this vulnerability, making it particularly dangerous.

The issue falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

Exploitation of this vulnerability can lead to the deletion of core files on your website, potentially causing the site to break or cease functioning.

Because the attack requires no authentication, it can be carried out by anyone, increasing the risk of widespread damage.

Such vulnerabilities are often exploited in mass campaigns targeting thousands of websites indiscriminately.

Immediate action, such as updating the plugin to version 18.5 or later, is recommended to prevent exploitation.

Detection Guidance

The vulnerability allows unauthenticated attackers to delete files on the affected website, which may cause site malfunction or breakage.

Detection can involve monitoring for unusual file deletion activities or unexpected site behavior related to missing core files.

Patchstack provides an automatic mitigation rule that blocks attacks targeting this vulnerability, which can also help detect exploitation attempts.

No specific commands are provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

The primary immediate step is to update the WooCommerce Support Ticket System Plugin to version 18.5 or later, where the vulnerability has been patched.

Until the update can be applied, users of Patchstack can enable the automatic mitigation rule that blocks attacks targeting this vulnerability.

Enabling auto-updates specifically for vulnerable plugins is recommended to ensure rapid protection.

If unable to update immediately, seek assistance from hosting providers or web developers to help prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart