Vulnerabilities > CVE-2021-24839 - Missing Authorization vulnerability in Supportcandy

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

supportcandy

CWE-862

NVD

Published: 2022-02-07

Updated: 2022-08-30

Summary

The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions may be affected as well.

Vulnerable Configurations

Part	Description	Count
Application	Supportcandy Supportcandy Supportcandy - Supportcandy Supportcandy 1.0.0 Supportcandy Supportcandy 1.0.1 Supportcandy Supportcandy 1.0.2 Supportcandy Supportcandy 1.0.3 Supportcandy Supportcandy 1.0.4 Supportcandy Supportcandy 1.0.5 Supportcandy Supportcandy 1.0.6 Supportcandy Supportcandy 1.0.7 Supportcandy Supportcandy 1.0.8 Supportcandy Supportcandy 1.0.9 Supportcandy Supportcandy 1.1.0 Supportcandy Supportcandy 1.1.1 Supportcandy Supportcandy 1.1.2 Supportcandy Supportcandy 1.1.3 Supportcandy Supportcandy 1.1.4 Supportcandy Supportcandy 1.1.5 Supportcandy Supportcandy 2.0.0 Supportcandy Supportcandy 2.0.1 Supportcandy Supportcandy 2.0.2 Supportcandy Supportcandy 2.0.3 Supportcandy Supportcandy 2.0.4 Supportcandy Supportcandy 2.0.5 Supportcandy Supportcandy 2.0.6 Supportcandy Supportcandy 2.0.7 Supportcandy Supportcandy 2.0.8 Supportcandy Supportcandy 2.0.9 Supportcandy Supportcandy 2.1.0 Supportcandy Supportcandy 2.1.1 Supportcandy Supportcandy 2.1.2 Supportcandy Supportcandy 2.1.3 Supportcandy Supportcandy 2.1.4 Supportcandy Supportcandy 2.1.5 Supportcandy Supportcandy 2.1.6 Supportcandy Supportcandy 2.1.7 Supportcandy Supportcandy 2.1.8 Supportcandy Supportcandy 2.1.9 Supportcandy Supportcandy 2.2.0 Supportcandy Supportcandy 2.2.1 Supportcandy Supportcandy 2.2.2 Supportcandy Supportcandy 2.2.3 Supportcandy Supportcandy 2.2.4	42

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://wpscan.com/vulnerability/5e6e63c2-2675-4b8d-9b94-c16c525a1a0e