CVE-2024-10627: 
WordPress vulnerability analysis and mitigation

The WooCommerce Support Ticket System plugin for WordPress contains a critical vulnerability (CVE-2024-10627) discovered in November 2024. The vulnerability affects all versions up to and including 17.7, allowing unauthenticated attackers to upload arbitrary files due to missing file type validation in the ajaxmanagefilechunkupload() function (NVD).

The vulnerability stems from improper file type validation in the ajaxmanagefilechunkupload() function. It has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Wordfence). The vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type.

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially enabling remote code execution. This presents a severe security risk as attackers could gain unauthorized access and control over the affected WordPress installations (NVD).

Site administrators running the WooCommerce Support Ticket System plugin should immediately update to a version newer than 17.7. The vulnerability was addressed in version 17.8 with improved security measures (CodeCanyon).