CVE-2026-2421

The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the ‘cert’ parameter of the ‘wccd-delete-certificate’ AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible.

More information : https://plugins.trac.wordpress.org/browser/wc-carta-docente/tags/1.4.7/includes/class-wccd-admin.php#L88