Woocommerce Support System < 1.2.3 – Unauthenticated Ticket Deletion/Update, Settings Update etc | CVE 2023-41686 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on several functions hook via 'init', 'admin_init', and AJAX actions, allowing unauthenticated attackers to perform a variety of actions such as modifying and deleting user tickets, editing settings, and more.

Affects Plugins

wc-support-system

Fixed in 1.2.3

References

CVE

URL

https://patchstack.com/database/vulnerability/wc-support-system/wordpress-woocommerce-support-system-plugin-1-2-0-cross-site-request-forgery-csrf-vulnerability

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Verified

No

WPVDB ID

cd0cc84a-0971-4931-8eee-1446e0cf0f55

Timeline

Publicly Published

2023-09-04 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2025-06-16 (about 10 months ago)

Other

Published

Title

Published

2026-03-15

Title

Tutor LMS < 3.9.8 - Missing Authorization

Published

2025-09-26

Title

Theme My Login < 7.1.13 - Missing Authorization

Published

2025-07-16

Title

Hestia < 3.2.11 - Missing Authorization

Published

2025-06-04

Title

InWave Jobs <= 3.5.8 - Missing Authorization

Published

2025-01-30

Title

Media Manager for UserPro <= 3.12.0 - Missing Authorization to Unauthenticated Arbitrary Options Update