CVE-2024-24716 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-24716?

CVE-2024-24716 has a CVSS score of 5.4 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the Awesome Support WordPress plugin that allows unauthorized users to access restricted functionality. It affects all versions up to 6.1.6. WordPress sites using vulnerable versions of this plugin are at risk.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the Awesome Support WordPress plugin that allows unauthorized users to access restricted functionality. It affects all versions up to 6.1.6. WordPress sites using vulnerable versions of this plugin are at risk.

💻 Affected Systems

Products:

Awesome Support WordPress Plugin

Versions: All versions up to and including 6.1.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with Awesome Support plugin enabled. The vulnerability exists in the plugin's access control mechanisms.

📦 What is this software?

Awesome Support by Getawesomesupport

View all CVEs affecting Awesome Support →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could access sensitive support ticket data, modify tickets, or perform administrative actions within the support system, potentially leading to data exposure or system compromise.

🟠

Likely Case

Attackers could view or modify support tickets they shouldn't have access to, potentially exposing sensitive customer information or disrupting support operations.

🟢

If Mitigated

With proper access controls and authentication mechanisms in place, impact would be limited to authorized users only following their assigned permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WordPress site but bypasses authorization checks within the plugin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.7 or later

Vendor Advisory: https://wordpress.org/plugins/awesome-support/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Awesome Support plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Awesome Support plugin until patched

wp plugin deactivate awesome-support

Restrict Access

all

Use WordPress roles and capabilities to restrict access to support functionality

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the WordPress admin interface
Enable detailed logging and monitoring for unauthorized access attempts to support functionality

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Awesome Support version

Check Version:

wp plugin get awesome-support --field=version

Verify Fix Applied:

Verify Awesome Support plugin version is 6.1.7 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to support ticket endpoints
Unusual user activity in support system from non-support roles

Network Indicators:

HTTP requests to /wp-admin/admin-ajax.php with support-related actions from unauthorized users

SIEM Query:

source="wordpress.log" AND ("awesome-support" OR "as-ajax") AND (user_role!="administrator" AND user_role!="support_agent")

📊 Metadata

CVE ID: CVE-2024-24716

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-862

Published: June 9, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24716, you might also want to check these: