CVE-2021-24843

The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsctickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction...

CVE-2021-24839

The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsctickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction. Other actions may be affected as well...

WordPress plugin 跨站请求伪造漏洞

WordPress plugin is an open source application plugin for WordPress. A cross-site request forgery vulnerability exists in Wordpress Plugin SupportCandy, which stems from a product's wpsctickets request that does not validate authorization, and can be exploited by an unauthorized attacker to delet...

SupportCandy < 2.2.7 - CSRF to Cross-Site Scripting

The plugin does not have CSRF check in the wpsctickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter stored in their cookies with an XSS payloa...