Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

48 matches found

OSV
OSVadded 2022/02/07 4:15 p.m.2 views

CVE-2021-24880

The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

5.4CVSS5.8AI score0.0018EPSS
Exploits2References1
OSV
OSVadded 2022/02/07 4:15 p.m.1 views

CVE-2021-24843

The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsctickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction...

6.5CVSS5.9AI score
Exploits0References1
Positive Technologies
Positive Technologiesadded 2022/02/07 12:0 a.m.3 views

PT-2022-9489

Name of the Vulnerable Software and Affected Versions: SupportCandy WordPress plugin versions prior to 2.2.7 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the plugin does not properly sanitise and escape the query string before outputting it back...

6.1CVSS5.9AI score0.00368EPSS
Exploits2References6
Positive Technologies
Positive Technologiesadded 2022/02/07 12:0 a.m.2 views

PT-2022-9480 · WordPress · Supportcandy

Name of the Vulnerable Software and Affected Versions: SupportCandy WordPress plugin versions prior to 2.2.5 Description: The issue is related to the lack of authorisation and CSRF checks in the wpsc tickets AJAX action, which could allow unauthenticated users to delete arbitrary tickets via the...

7.5CVSS7.5AI score0.01009EPSS
Exploits2References5
VulnCheck KEV
VulnCheck KEVadded 2022/01/05 12:0 a.m.1 views

VulnCheck KEV: CVE-2021-24878

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue...

6.1CVSS6.4AI score0.00368EPSS
Exploits2References1
Patchstack
Patchstackadded 2022/01/05 12:0 a.m.20 views

WordPress SupportCandy plugin <= 2.2.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress SupportCandy plugin versions = 2.2.6. Solution Update the WordPress SupportCandy plugin to the latest available version at least 2.2.7...

5.4CVSS1.9AI score0.0018EPSS
Exploits2References3Affected Software1
OSV
OSVadded 2019/04/18 6:29 p.m.0 views

CVE-2019-11223

An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension...

9.8CVSS7.6AI score
Exploits0References4
Cvelist
Cvelistadded 2019/04/18 5:8 p.m.15 views

CVE-2019-11223

An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension...

9.8AI score0.44046EPSS
Exploits1References4
Rows per page
Query Builder