WordPress Plugin Vulnerabilities

JS Help Desk - Best Help Desk & Support < 2.7.8 - Subscriber+ Ticket Manipulation via IDOR

Description

The plugin does not have authorisation in its ajaxhandler function, allowing any authenticated users, such as subscriber to modify ticket data as well as delete template and images

Affects Plugins

Plugin icon
js-support-ticket
Fixed in 2.7.8

References

CVE
CVE-2023-23679

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.6 (medium)

Miscellaneous

Original Researcher
Fariq Fadillah Gusti Insani
Verified
No
WPVDB ID
04e73ab2-3cfb-4405-a6fb-17b293a3b561

Timeline

Publicly Published
2023-06-23 (about 2 years ago)
Added
2023-06-26 (about 2 years ago)
Last Updated
2023-08-10 (about 2 years ago)

Other

Published
Title
Published
2021-11-22
Title
Logo Carousel < 3.4.2 - Unauthorised Private Post Access
Published
2024-12-04
Title
AnyWhere Elementor < 1.2.12 - Authenticated (Contributor+) Post Disclosure
Published
2020-06-27
Title
Advanced Forms < 1.6.9 - Subscriber+ Arbitrary User Email Address Update via IDOR
Published
2025-05-01
Title
Homey - Booking and Rentals WordPress Theme < 2.4.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion
Published
2026-01-29
Title
Shiprocket <= 2.0.8 - Authenticated (Subscriber+) Insecure Direct Object Reference