3 matches found
CVE-2021-24839
The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsctickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction. Other actions may be affected as well...
CVE-2021-24839
CVE-2021-24839 affects the SupportCandy WordPress plugin pre-2.2.5. The wpsc_tickets AJAX action lacks authorization and CSRF checks, enabling unauthenticated remote calls to delete arbitrary tickets via set_delete_permanently_bulk_ticket (and possibly affecting other actions). NVD lists CVSSv3.1...
CVE-2021-24839 SupportCandy < 2.2.5 - Unauthenticated Arbitrary Ticket Deletion
The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsctickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction. Other actions may be affected as well...