CVE-2025-14033 Overview
CVE-2025-14033 is an information disclosure vulnerability in the ilGhera Support System for WooCommerce plugin for WordPress. The flaw stems from a missing capability check on the get_ticket_content_callback function in all versions up to and including 1.3.0. Unauthenticated attackers can read any support ticket by supplying a valid ticket ID, exposing customer information and private communications between merchants and customers. The issue is classified as Authorization Bypass [CWE-639] and is exploitable remotely over the network without user interaction.
Critical Impact
Unauthenticated attackers can enumerate ticket IDs and read sensitive support ticket content, including private customer communications, directly from any vulnerable WooCommerce store.
Affected Products
- ilGhera Support System for WooCommerce (WC Support System) plugin for WordPress
- All plugin versions up to and including 1.3.0
- Fixed in plugin version 1.3.1
Discovery Timeline
- 2026-05-13 - CVE-2025-14033 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2025-14033
Vulnerability Analysis
The ilGhera Support System for WooCommerce plugin exposes an AJAX endpoint backed by the get_ticket_content_callback function. This callback returns the full content of a support ticket when invoked with a ticket ID parameter. The function is registered for both authenticated and unauthenticated AJAX hooks, but it does not verify that the caller has permission to view the requested ticket.
Because ticket identifiers are sequential integers, an attacker can iterate ticket IDs and harvest the content of every ticket stored by the plugin. Disclosed data may include order references, full names, email addresses, shipping details, and the private message thread exchanged between store staff and customers. The vulnerability impacts confidentiality only; integrity and availability of the WordPress site are not directly affected.
Root Cause
The root cause is a missing authorization check in the AJAX handler. The plugin relies on the existence of a ticket ID as the sole gating mechanism, which is a classic Authorization Bypass Through User-Controlled Key pattern [CWE-639]. No current_user_can() check, ticket ownership verification, or nonce validation is performed before returning ticket content from class-wc-support-system.php.
Attack Vector
Exploitation requires only network access to the WordPress site and the ability to call the plugin's AJAX action with a numeric ticket ID. An attacker scripts requests against wp-admin/admin-ajax.php, iterating ticket IDs and parsing each response. No credentials, user interaction, or elevated privileges are required. The vulnerable code paths are documented in the WordPress plugin repository and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-14033
Indicators of Compromise
- Repeated POST or GET requests to wp-admin/admin-ajax.php with the action=get_ticket_content parameter from a single IP address.
- Sequential or rapidly incrementing ticket_id values in AJAX request logs.
- Outbound responses from admin-ajax.php returning unusually large payloads to unauthenticated sessions.
Detection Strategies
- Inspect web server access logs for unauthenticated requests targeting the get_ticket_content AJAX action and flag clients enumerating ticket IDs.
- Deploy a web application firewall rule to identify high-frequency calls to the plugin's AJAX endpoint without an authenticated WordPress session cookie.
- Correlate spikes in admin-ajax.php traffic with known scanner user agents and reputation feeds.
Monitoring Recommendations
- Forward WordPress and reverse proxy access logs to a centralized log platform and alert on anomalous AJAX action volumes.
- Track the installed version of the wc-support-system plugin across managed WordPress estates and alert on versions at or below 1.3.0.
- Monitor outbound data volumes from WordPress hosts to identify bulk ticket extraction.
How to Mitigate CVE-2025-14033
Immediate Actions Required
- Update the ilGhera Support System for WooCommerce plugin to version 1.3.1 or later on every affected WordPress site.
- Audit support ticket access logs for unauthenticated requests to get_ticket_content and notify affected customers if disclosure is confirmed.
- Rotate any credentials, order references, or coupon codes that were shared inside support tickets.
Patch Information
The vendor addressed the issue in version 1.3.1. The fix introduces an authorization check in the updated class-wc-support-system.php, as shown in the patched source on the WordPress plugin repository. Site administrators should apply the update through the WordPress plugin manager or by deploying the latest plugin package.
Workarounds
- Disable or uninstall the WC Support System plugin until the update to 1.3.1 can be applied.
- Restrict access to wp-admin/admin-ajax.php for the get_ticket_content action at the web application firewall, allowing only authenticated administrator sessions.
- Temporarily make the support area accessible only over an authenticated network path, such as VPN or IP allowlist, while remediation is staged.
# Example WP-CLI commands to inventory and update the vulnerable plugin
wp plugin get wc-support-system --field=version
wp plugin update wc-support-system --version=1.3.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
