EUVD-2026-13636
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Tags
Description
The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible.
Analysis
A Path Traversal vulnerability exists in the ilGhera Carta Docente for WooCommerce plugin for WordPress (versions up to and including 1.5.0) that allows authenticated administrators to delete arbitrary files on the server through insufficient validation of the 'cert' parameter in the 'wccd-delete-certificate' AJAX action. An attacker with administrator privileges can exploit this to delete critical files such as wp-config.php, leading to site takeover and potential remote code execution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Path Traversal in all and apply vendor patches as part of regular patch cycle. Review file handling controls.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today