CVE-2024-13775
📋 TL;DR
The WooCommerce Support Ticket System plugin for WordPress has missing capability checks on three AJAX functions, allowing authenticated attackers with Subscriber-level access or higher to delete arbitrary posts and read sensitive user information including names, emails, and capabilities. This affects all WordPress sites using this plugin up to version 17.8.
💻 Affected Systems
- WooCommerce Support Ticket System WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete website compromise through mass post deletion and user data exfiltration, potentially leading to business disruption and data breach compliance violations.
Likely Case
Selective post deletion and harvesting of user email addresses for phishing campaigns or credential stuffing attacks.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with only minor data exposure.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted AJAX requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.9 or later
Vendor Advisory: https://codecanyon.net/item/woocommerce-support-ticket-system/17930050#item-description__change-log
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WooCommerce Support Ticket System'. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 17.9+ from CodeCanyon and replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate woocommerce-support-ticket-system
Restrict AJAX Endpoints
linuxBlock access to vulnerable AJAX endpoints via web application firewall or .htaccess
# Add to .htaccess:
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=(ajax_delete_message|ajax_get_customers_partial_list|ajax_get_admins_list)
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Implement strict role-based access control and limit Subscriber permissions
- Enable comprehensive logging and monitoring of AJAX requests to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 17.8 or lower, you are vulnerable.Check Version:
wp plugin get woocommerce-support-ticket-system --field=versionVerify Fix Applied:
Verify plugin version is 17.9 or higher after update. Test AJAX endpoints with Subscriber account to confirm proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action parameters: ajax_delete_message, ajax_get_customers_partial_list, ajax_get_admins_list from Subscriber-level users
- Multiple post deletions from non-admin users
- User enumeration requests from low-privilege accounts
Network Indicators:
- Spike in AJAX requests to admin-ajax.php from authenticated users
- Unusual data exfiltration patterns
SIEM Query:
source="wordpress.log" AND (uri="/wp-admin/admin-ajax.php" AND (action="ajax_delete_message" OR action="ajax_get_customers_partial_list" OR action="ajax_get_admins_list")) AND user_role="subscriber"