CVE-2024-13552
📋 TL;DR
The SupportCandy WordPress plugin has an insecure direct object reference vulnerability that allows authenticated users to download support ticket attachments belonging to other users. If guest tickets are enabled, unauthenticated attackers can also exploit this. All WordPress sites using SupportCandy up to version 3.3.0 are affected.
💻 Affected Systems
- SupportCandy - Helpdesk & Customer Support Ticket System for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers download sensitive attachments containing PII, credentials, or confidential business information from support tickets.
Likely Case
Authenticated users access attachments from tickets they shouldn't have permission to view, potentially exposing sensitive customer or internal data.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized file downloads rather than system compromise.
🎯 Exploit Status
Exploitation requires manipulating file upload parameters. The vulnerability is simple to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3235142/supportcandy/trunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find SupportCandy plugin. 4. Click 'Update Now' or manually update to version 3.3.1 or later.
🔧 Temporary Workarounds
Disable Guest Tickets
allPrevent unauthenticated exploitation by disabling guest ticket functionality in SupportCandy settings.
Temporary Plugin Deactivation
linuxDeactivate SupportCandy plugin until patched if immediate update isn't possible.
wp plugin deactivate supportcandy
🧯 If You Can't Patch
- Implement web application firewall rules to block suspicious file download requests
- Monitor access logs for unusual attachment download patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > SupportCandy version. If version is 3.3.0 or lower, you are vulnerable.Check Version:
wp plugin get supportcandy --field=versionVerify Fix Applied:
Verify SupportCandy plugin version is 3.3.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file download patterns from /wp-content/uploads/supportcandy/attachments/
- Multiple failed attachment access attempts from single IP
Network Indicators:
- HTTP requests to attachment endpoints with manipulated parameters
- Unusual spikes in downloads from support ticket URLs
SIEM Query:
source="web_logs" AND (url="*supportcandy*attachment*" OR url="*wpsc-attachment*") AND status=200 | stats count by src_ip, user_agent🔗 References
- https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-new-ticket.php#L395
- https://plugins.trac.wordpress.org/changeset/3235142/supportcandy/trunk?old=3188306&old_path=%2Fsupportcandy%2Ftrunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/13f87248-cc0b-4351-b79d-6efc5190b021?source=cve
