Awesome Support < 6.1.2 – Subscriber+ Arbitrary Exported Tickets Download | CVE 2022-3511 | Plugin Vulnerabilities

Description

The plugin does not ensure that the exported tickets archive to be downloaded belongs to the user making the request, allowing a low privileged user, such as subscriber to download arbitrary exported tickets via an IDOR vector

Proof of Concept

As a low privilege user, open a ticket and export it (via the Profile page), then copy its download URL and change the file parameter to download other user ticket exports

https://example.com/wp-admin/profile.php?file=2&check=7311d87c18

Affects Plugins

awesome-support

Fixed in 6.1.2

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

9e57285a-0023-4711-874c-6e7b3c2673d1

Timeline

Publicly Published

2022-11-07 (about 3 years ago)

Added

2022-11-07 (about 3 years ago)

Last Updated

2022-11-07 (about 3 years ago)

Other

Published

Title

Published

2021-03-17

Title

BuddyPress < 7.2.1 - REST API Privilege Escalation

Published

2024-06-18

Title

Replace Image < 1.1.11 - Insecure Direct Object Reference

Published

2024-09-23

Title

Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress < 1.8.1.15 - Insecure Direct Object Reference to Account Takeover and Privilege Escalation

Published

2023-04-10

Title

Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access

Published

2021-06-03

Title

Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak