CVE-2021-24879
📋 TL;DR
This vulnerability in the SupportCandy WordPress plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that can set malicious filters containing Cross-Site Scripting (XSS) payloads in logged-in users' cookies. Attackers can exploit this to execute arbitrary JavaScript in the context of authenticated users who have access to ticket lists. WordPress sites running SupportCandy plugin versions before 2.2.7 are affected.
💻 Affected Systems
- SupportCandy WordPress Plugin
📦 What is this software?
Supportcandy by Supportcandy
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or install backdoors through stored XSS payloads.
Likely Case
Attackers trick authenticated users into clicking malicious links that set XSS payloads in their ticket filters, leading to session hijacking or account compromise.
If Mitigated
With proper CSRF tokens and input validation, the attack would fail as unauthorized requests would be rejected and malicious payloads would be sanitized.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking malicious links. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.7
Vendor Advisory: https://wpscan.com/vulnerability/6dfb4f61-c8cb-40ad-812f-139482be0fb4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find SupportCandy plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.2.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the SupportCandy plugin until patched to prevent exploitation.
wp plugin deactivate supportcandy
Web Application Firewall Rules
allImplement WAF rules to block requests to wpsc_tickets AJAX endpoint without proper CSRF tokens.
🧯 If You Can't Patch
- Restrict access to ticket lists dashboard to only essential personnel
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for SupportCandy version. If version is below 2.2.7, system is vulnerable.Check Version:
wp plugin list --name=supportcandy --field=versionVerify Fix Applied:
Verify SupportCandy plugin version is 2.2.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=wpsc_tickets
- Multiple failed CSRF validation attempts
Network Indicators:
- HTTP requests setting unusual cookie values for ticket filters
- Suspicious referrer headers in AJAX requests
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "wpsc_tickets" AND NOT "_wpnonce"