Awesome Support < 6.1.7 – Insufficient Authorization via wpas_can_delete_attachments() | CVE 2024-24716 | Plugin Vulnerabilities

Description

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check in the wpas_can_delete_attachments() function in all versions up to, and including 6.1.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete attachments.

Affects Plugins

awesome-support

Fixed in 6.1.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ffb8a285-43c6-4956-ad37-484269463b2d

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Brandon James Roldan (tomorrowisnew)

Verified

No

WPVDB ID

914c8be4-5a56-4019-beb6-3669110ce8ba

Timeline

Publicly Published

2024-03-12 (about 2 years ago)

Added

2024-03-12 (about 2 years ago)

Last Updated

2024-03-12 (about 2 years ago)

Other

Published

Title

Published

2026-01-13

Title

Float Payment Gateway < 1.1.10 - Improper Authorization to Unauthenticated Order Status Manipulation

Published

2022-11-21

Title

StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation

Published

2026-01-12

Title

CP Image Store with Slideshow < 1.2.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import

Published

2021-12-28

Title

Shortcode Addons < 3.2.0 - Authenticated Arbitrary Options Update

Published

2026-01-06

Title

Rankology SEO and Analytics Tool <= 2.0 - Editor+ Header & Footer Code Creation