Vulnerabilities ›

CVE-2025-14033

Medium

CWE-639 — Weakness Type

                    Published: May 13, 2026                      ·  Modified: May 16, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ticket_content_callback' function in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to view any support ticket content, including sensitive customer information and private communications, by providing a ticket ID.

🤖 AI Executive Summary

The ilGhera Support System for WooCommerce plugin (versions ≤1.3.0) contains a critical authorization bypass vulnerability allowing unauthenticated attackers to access sensitive support ticket data. This vulnerability exposes customer information, private communications, and potentially payment details through simple ticket ID enumeration. No patch is currently available, requiring immediate compensating controls for affected Saudi e-commerce organizations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 29, 2026 10:06

🇸🇦 Saudi Arabia Impact Assessment

High impact for Saudi e-commerce sector, particularly small-to-medium enterprises (SMEs) using WooCommerce for online retail. Banking sector at risk if payment information stored in tickets. Government procurement platforms using WooCommerce vulnerable to data exposure. Healthcare e-commerce platforms (pharmacies, medical supplies) exposed to HIPAA-equivalent violations under Saudi healthcare regulations. Telecom sector (STC, Mobily) customer service systems potentially compromised. Risk amplified by widespread WooCommerce adoption among Saudi online retailers and limited security awareness in SME segment.

🏢 Affected Saudi Sectors

E-commerce/Retail Banking and Financial Services Government and Public Sector Healthcare and Pharmaceuticals Telecommunications Hospitality and Tourism Education

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1566 - Phishing (information gathering for social engineering) T1589 - Gather Victim Identity Information T1592 - Gather Victim Host Information T1526 - Enumerate External Targets T1087 - Account Discovery T1040 - Network Sniffing (data in transit) T1557 - Man-in-the-Middle (if combined with network attacks)

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all WooCommerce installations for ilGhera Support System plugin presence and version

2. Disable the plugin immediately if version ≤1.3.0 is detected

3. Review access logs for unauthorized ticket access patterns (GET requests to /wp-admin/admin-ajax.php with 'get_ticket_content_callback' action)

4. Notify affected customers of potential data exposure

COMPENSATING CONTROLS (until patch available):

5. Implement Web Application Firewall (WAF) rules blocking requests to 'get_ticket_content_callback' endpoint

6. Restrict /wp-admin/admin-ajax.php access to authenticated users only via .htaccess or nginx configuration

7. Implement rate limiting on ticket retrieval endpoints

8. Move sensitive ticket data to separate database with additional access controls

9. Implement IP whitelisting for support ticket access

10. Enable WordPress security logging and monitoring for unauthorized access attempts

DETECTION RULES:

- Monitor for POST/GET requests containing 'action=get_ticket_content_callback' from unauthenticated sessions

- Alert on sequential ticket ID enumeration attempts (e.g., ticket_id=1,2,3...)

- Track failed authentication attempts followed by direct API calls

PATCHING:

- Monitor ilGhera plugin repository for security updates

- Consider alternative support ticket plugins (e.g., Awesome Support, Tickera) with better security records

- If upgrading becomes available, test thoroughly in staging environment before production deployment

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WooCommerce للتحقق من وجود مكون ilGhera Support System والإصدار

2. تعطيل المكون فوراً إذا تم اكتشاف الإصدار ≤1.3.0

3. مراجعة سجلات الوصول للكشف عن أنماط الوصول غير المصرح به للتذاكر

4. إخطار العملاء المتأثرين بإمكانية تعرض البيانات

الضوابط التعويضية (حتى توفر التصحيح):

5. تطبيق قواعد جدار الحماية لحجب طلبات نقطة نهاية 'get_ticket_content_callback'

6. تقييد الوصول إلى /wp-admin/admin-ajax.php للمستخدمين المصرح لهم فقط

7. تطبيق تحديد معدل الطلبات على نقاط نهاية استرجاع التذاكر

8. نقل بيانات التذاكر الحساسة إلى قاعدة بيانات منفصلة بضوابط وصول إضافية

9. تطبيق قائمة بيضاء للعناوين IP لوصول تذاكر الدعم

10. تفعيل تسجيل ومراقبة أمان WordPress لمحاولات الوصول غير المصرح به

قواعد الكشف:

- مراقبة طلبات POST/GET التي تحتوي على 'action=get_ticket_content_callback' من جلسات غير مصرح لها

- تنبيهات على محاولات تعداد معرف التذكرة المتسلسلة

- تتبع محاولات المصادقة الفاشلة متبوعة باستدعاءات API مباشرة

التصحيح:

- مراقبة مستودع مكون ilGhera للتحديثات الأمنية

- النظر في مكونات دعم بديلة بسجلات أمان أفضل

- اختبار شامل قبل النشر في بيئة الإنتاج

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policy (missing capability checks) ECC 2024 A.6.1.2 - User Registration and Access Rights Management ECC 2024 A.8.2.1 - User Access Management ECC 2024 A.9.2.1 - User Access Rights Review ECC 2024 A.12.4.1 - Event Logging (unauthorized access detection)

🔵 SAMA CSF

SAMA CSF ID.AM-1 - Asset Management (inventory of vulnerable plugins) SAMA CSF PR.AC-1 - Access Control Policy and Procedures SAMA CSF PR.AC-4 - Access Rights and Privileges SAMA CSF DE.AE-1 - Anomalies and Events Detection SAMA CSF RS.AN-1 - Incident Analysis

🟡 ISO 27001:2022

ISO 27001:2022 A.5.2 - Information Security Policies ISO 27001:2022 A.6.2 - Information Security Roles and Responsibilities ISO 27001:2022 A.8.1 - User Endpoint Devices ISO 27001:2022 A.8.2 - Privileged Access Rights ISO 27001:2022 A.8.3 - Information Access Restriction ISO 27001:2022 A.12.4 - Logging

🟣 PCI DSS v4.0.1

PCI DSS 1.1 - Firewall Configuration Standards PCI DSS 2.1 - Default Passwords and Security Parameters PCI DSS 6.2 - Security Patches and Updates PCI DSS 7.1 - Limit Access to System Components PCI DSS 10.2 - Implement Automated Audit Trails

🔗 References & Sources 6

🔗

https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.3.1/includes/class-...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-su...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-su...

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/40ceea17-ec60-4775-8495-e2f76...

security@wordfence.com

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-639

EPSS0.06%

Exploit No

Patch ✗ No

Published 2026-05-13

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-639

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2025-14033

Introduce Yourself

Sign In Required