WordPress Plugin Vulnerabilities

SupportCandy < 2.2.7 - CSRF to Cross-Site Scripting

Description

The plugin does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it.

Proof of Concept

Affects Plugins

Plugin icon
supportcandy
Fixed in 2.2.7

References

CVE
CVE-2021-24879

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
6dfb4f61-c8cb-40ad-812f-139482be0fb4

Timeline

Publicly Published
2022-01-05 (about 3 years ago)
Added
2022-01-05 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-04-09
Title
WP Event Aggregator < 1.7.7 - Cross-Site Request Forgery via wpea_deauthorize_user()
Published
2024-11-28
Title
Photo Video Store <= 21.07 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-22
Title
SALESmanago < 3.8.2 - Cross-Site Request Forgery
Published
2024-07-17
Title
Cooked – Recipe Management < 1.8.0 - Cross-Site Request Forgery via cooked_get_recipe_ids
Published
2025-10-03
Title
Trinity Audio < 5.21.0 - Cross-Site Request Forgery