CVE-2024-35741 – This CVE describes a Missing Authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the Awesome Support WordPress plugin that allows unauthorized users to access restricted functionality. It affects all versions up to 6.1.7, potentially enabling attackers to perform actions they shouldn't have permission for. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Awesome Support WordPress Plugin

Versions: All versions up to and including 6.1.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the Awesome Support plugin enabled. The vulnerability exists in the plugin's access control mechanisms.

📦 What is this software?

Awesome Support by Getawesomesupport

View all CVEs affecting Awesome Support →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could access sensitive support ticket data, modify tickets, or perform administrative actions within the support system, potentially leading to data exposure or system compromise.

🟠

Likely Case

Attackers could view or modify support tickets they shouldn't have access to, potentially exposing customer information or disrupting support operations.

🟢

If Mitigated

With proper access controls and network segmentation, impact would be limited to the support system functionality only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WordPress site but bypasses authorization checks within the plugin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.8 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/awesome-support/wordpress-awesome-support-plugin-6-1-7-broken-access-control-vulnerability-2?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Awesome Support plugin
4. Click 'Update Now' if available
5. If manual update needed, download version 6.1.8+ from WordPress.org
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Awesome Support plugin until patched

wp plugin deactivate awesome-support

Restrict Access

all

Use web application firewall rules to restrict access to plugin endpoints

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the WordPress site
Enable detailed logging and monitoring for unauthorized access attempts to support system endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Awesome Support → Version number. If version is 6.1.7 or earlier, you are vulnerable.

Check Version:

wp plugin get awesome-support --field=version

Verify Fix Applied:

After updating, verify version shows 6.1.8 or later in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /wp-content/plugins/awesome-support/ endpoints
Unusual user activity in support ticket system from non-support roles

Network Indicators:

HTTP requests to awesome-support plugin endpoints from unauthorized IPs

SIEM Query:

source="wordpress.log" AND "awesome-support" AND ("unauthorized" OR "permission denied" OR "access control")

📊 Metadata

CVE ID: CVE-2024-35741

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

Published: June 10, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35741, you might also want to check these: