Helpdesk Support Ticket System for WooCommerce <= 2.1.2 - Missing Authorization
Description
The Helpdesk Support Ticket System for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.1.2What Changed in the Fix
Changes introduced in v2.1.3
Source Code
WordPress.org SVNphp` snippets. Wait, I see nothing. * Let's look at the `push_not` registration in `support-ticket-system-for-woocommerce.php`: ```php add_action( 'wp_ajax_nopriv_push_not',array( $this, 'push_not' ) ); add_action( 'wp_ajax_push_not', array( $this, 'push_not' …
Show full research plan
php` snippets.
Wait, I see nothing.
* Let's look at the `push_not` registration in `support-ticket-system-for-woocommerce.php`:
```php
add_action( 'wp_ajax_nopriv_push_not',array( $this, 'push_not' ) );
add_action( 'wp_ajax_push_not', array( $this, 'push_not' ) );
```
This is perfect. It's unauthenticated. It's missing authorization (doesn't check if the caller is an admin). It performs an action (deletes a transient).
1. Verify the notice exists (by setting the transient via WP-CLI or activating the plugin).
2. Send an unauthenticated AJAX request to `admin-ajax.php` with `action=push_not`.
3. Verify the transient is gone.
* *Self-Correction:* The CVSS 5.3 is very specific. Many "Missing Authorization" bugs that allow unauthenticated data deletion (like ticket responses) are rated much higher (7.5+). `I:L` (Integrity Low) fits the deletion of a transient/notice perfectly.
STSWooCommerce_notification
1. Activate plugin (triggers `notification_hook`, sets transient).
2. Check transient: `wp transient get STSWooCommerce_notification`.
3. Run
Summary
The Helpdesk Support Ticket System for WooCommerce plugin for WordPress is vulnerable to unauthorized access and information disclosure due to missing capability checks on an AJAX action and insecure REST API settings. This allows unauthenticated attackers to dismiss administrative notifications for the plugin and query private support tickets via the WordPress REST API.
Vulnerable Code
// support-ticket-system-for-woocommerce.php line 105-106 add_action( 'wp_ajax_nopriv_push_not',array( $this, 'push_not' ) ); add_action( 'wp_ajax_push_not', array( $this, 'push_not' ) ); // support-ticket-system-for-woocommerce.php line 137-140 public function push_not(){ delete_transient( $this->plugin."_notification" ); } --- // includes.php line 203-214 'show_in_rest' => true, 'rest_base' => 'stsw_tickets', 'rest_controller_class' => 'WP_REST_Posts_Controller', 'capability_type' => 'page', 'hierarchical' => false, 'menu_position' => null, 'public' => false, // it's not public, it shouldn't have it's own permalink, and so on 'publicly_queryable' => true, // you should be able to query it 'show_ui' => true, // you should be able to edit it in wp-admin 'show_in_menu' => false, 'exclude_from_search' => true, // you should exclude it from search results
Security Fix
@@ -174,7 +174,7 @@ /** * Tickets. * - * @version 2.0.0 + * @version 2.1.3 */ public function Tickets() { @@ -200,14 +200,12 @@ 'description' => esc_html__('Adding and editing my Tickets','support-ticket-system-for-woocommerce' ), 'menu_icon' => 'dashicons-calendar', 'supports' => array( 'title'), - 'show_in_rest' => true, - 'rest_base' => 'stsw_tickets', - 'rest_controller_class' => 'WP_REST_Posts_Controller', + 'show_in_rest' => false, 'capability_type' => 'page', 'hierarchical' => false, 'menu_position' => null, 'public' => false, // it's not public, it shouldn't have it's own permalink, and so on - 'publicly_queryable' => true, // you should be able to query it + 'publicly_queryable' => false, 'show_ui' => true, // you should be able to edit it in wp-admin 'show_in_menu' => false, 'exclude_from_search' => true, // you should exclude it from search results
Exploit Outline
The vulnerability can be exploited in two ways: 1. Information Disclosure: An unauthenticated attacker can retrieve private support ticket information by sending a GET request to the WordPress REST API at `/wp-json/wp/v2/stsw_tickets`. Because the `stsw_tickets` post type is registered with `show_in_rest => true` and `publicly_queryable => true`, the standard WP_REST_Posts_Controller allows querying these posts even if they are not intended to be public. 2. Unauthorized Action: An unauthenticated attacker can dismiss the plugin's administrative notification transient for all users. This is achieved by sending a POST or GET request to `admin-ajax.php` with the `action` parameter set to `push_not`. The function `push_not` is hooked to `wp_ajax_nopriv_push_not` and lacks any permission or capability checks, directly executing `delete_transient` when called.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.