The vulnerability identified as CVE-2026-2421 affects the ilGhera Carta Docente for WooCommerce plugin for WordPress, specifically versions up to and including 1.5.0. The root cause is an improper limitation of a pathname to a restricted directory (CWE-22), where the plugin fails to adequately validate the 'cert' parameter in the 'wccd-delete-certificate' AJAX action. This parameter is used to specify files for deletion, but due to insufficient path sanitization, an authenticated user with Administrator-level access can manipulate the path to delete arbitrary files outside the intended directory. Critical files such as wp-config.php can be targeted, which store database credentials and configuration settings. Deleting or corrupting these files can disrupt website functionality, cause denial of service, or facilitate further attacks like remote code execution by enabling attackers to upload malicious files or modify site behavior. The attack vector requires network access (remote), low attack complexity, and high privileges but no user interaction. The vulnerability is rated medium severity with a CVSS 3.1 score of 6.5, reflecting significant impact on integrity and availability but no direct confidentiality loss. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. The vulnerability was reserved in February 2026 and published in March 2026 by Wordfence.

This vulnerability poses a serious risk to organizations running WordPress sites with the ilGhera Carta Docente for WooCommerce plugin installed, especially those with administrative users who could be compromised or act maliciously. Successful exploitation can lead to deletion of critical files, causing website outages and loss of data integrity. The deletion of wp-config.php can disrupt database connectivity, resulting in site downtime and potential loss of business continuity. Furthermore, attackers may leverage this to execute remote code or gain full control over the website, leading to data breaches, defacement, or use of the site as a launchpad for further attacks. The impact extends to e-commerce operations, potentially affecting revenue and customer trust. Since the vulnerability requires administrator-level access, the threat is heightened in environments with weak internal controls or compromised admin accounts. The lack of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks, especially in regions with high WordPress usage and WooCommerce adoption.

To mitigate this vulnerability, organizations should immediately update the ilGhera Carta Docente for WooCommerce plugin to a version that addresses this flaw once available. In the absence of an official patch, administrators should restrict access to the AJAX action 'wccd-delete-certificate' by implementing additional server-side validation to sanitize and validate the 'cert' parameter, ensuring it cannot reference files outside the intended directory. Employing web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting this endpoint can provide interim protection. Additionally, enforce strict administrative access controls, including multi-factor authentication and least privilege principles, to reduce the risk of compromised admin accounts. Regular backups of critical files like wp-config.php should be maintained to enable rapid recovery if deletion occurs. Monitoring logs for suspicious file deletion requests and anomalous administrator activity can help detect exploitation attempts early. Finally, consider isolating critical WordPress files with file system permissions that prevent deletion by the web server process where feasible.