WordPress Plugin Vulnerabilities

Awesome Support < 6.1.2 - Subscriber+ Arbitrary Exported Tickets Download

Description

The plugin does not ensure that the exported tickets archive to be downloaded belongs to the user making the request, allowing a low privileged user, such as subscriber to download arbitrary exported tickets via an IDOR vector

Proof of Concept

As a low privilege user, open a ticket and export it (via the Profile page), then copy its download URL and change the file parameter to download other user ticket exports

https://example.com/wp-admin/profile.php?file=2&check=7311d87c18

Affects Plugins

Plugin icon
awesome-support
Fixed in 6.1.2

References

CVE
CVE-2022-3511

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
9e57285a-0023-4711-874c-6e7b3c2673d1

Timeline

Publicly Published
2022-11-07 (about 1 years ago)
Added
2022-11-07 (about 1 years ago)
Last Updated
2022-11-07 (about 1 years ago)

Other

Published
Title
Published
2021-07-27
Title
uListing < 2.0.6 - Authenticated IDOR
Published
2024-04-19
Title
VikBooking < 1.6.8 - Insecure Direct Object References
Published
2021-03-17
Title
BuddyPress < 7.2.1 - REST API Privilege Escalation
Published
2021-03-17
Title
BuddyPress < 7.2.1 - Force a Friendship
Published
2020-12-28
Title
WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR