[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fiYnLXo_vEJvTBDrpI4iEQkJlDMt7_p8p3hwKKua_q3s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-23977","helpdesk-support-ticket-system-for-woocommerce-missing-authorization-2","Helpdesk Support Ticket System for WooCommerce \u003C= 2.1.2 - Missing Authorization","The Helpdesk Support Ticket System for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","support-ticket-system-for-woocommerce",null,"\u003C=2.1.2","2.1.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-23 00:00:00","2026-04-02 14:58:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F82268ef9-6468-43a5-8578-86c8aec51f2c?source=api-prod",11,[22,23,24,25],"includes.php","langs\u002Fsupport-ticket-system-for-woocommerce.pot","readme.txt","support-ticket-system-for-woocommerce.php","researched",false,3,"php` snippets.\n Wait, I see nothing.\n\n * Let's look at the `push_not` registration in `support-ticket-system-for-woocommerce.php`:\n ```php\n add_action( 'wp_ajax_nopriv_push_not',array( $this, 'push_not' ) );\n add_action( 'wp_ajax_push_not', array( $this, 'push_not' ) );\n ```\n This is perfect. It's unauthenticated. It's missing authorization (doesn't check if the caller is an admin). It performs an action (deletes a transient).\n\n 1. Verify the notice exists (by setting the transient via WP-CLI or activating the plugin).\n 2. Send an unauthenticated AJAX request to `admin-ajax.php` with `action=push_not`.\n 3. Verify the transient is gone.\n\n * *Self-Correction:* The CVSS 5.3 is very specific. Many \"Missing Authorization\" bugs that allow unauthenticated data deletion (like ticket responses) are rated much higher (7.5+). `I:L` (Integrity Low) fits the deletion of a transient\u002Fnotice perfectly.\n\n`STSWooCommerce_notification`\n\n 1. Activate plugin (triggers `notification_hook`, sets transient).\n 2. Check transient: `wp transient get STSWooCommerce_notification`.\n 3. Run","The Helpdesk Support Ticket System for WooCommerce plugin for WordPress is vulnerable to unauthorized access and information disclosure due to missing capability checks on an AJAX action and insecure REST API settings. This allows unauthenticated attackers to dismiss administrative notifications for the plugin and query private support tickets via the WordPress REST API.","\u002F\u002F support-ticket-system-for-woocommerce.php line 105-106\nadd_action( 'wp_ajax_nopriv_push_not',array( $this, 'push_not' ) );\nadd_action( 'wp_ajax_push_not', array( $this, 'push_not' ) );\n\n\u002F\u002F support-ticket-system-for-woocommerce.php line 137-140\npublic function push_not(){\n delete_transient( $this->plugin.\"_notification\" );\n}\n\n---\n\n\u002F\u002F includes.php line 203-214\n'show_in_rest' => true,\n'rest_base' => 'stsw_tickets',\n'rest_controller_class' => 'WP_REST_Posts_Controller',\n'capability_type' => 'page',\n'hierarchical' => false,\n'menu_position' => null,\n'public' => false, \u002F\u002F it's not public, it shouldn't have it's own permalink, and so on\n'publicly_queryable' => true, \u002F\u002F you should be able to query it\n'show_ui' => true, \u002F\u002F you should be able to edit it in wp-admin\n'show_in_menu' => false,\n'exclude_from_search' => true, \u002F\u002F you should exclude it from search results","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupport-ticket-system-for-woocommerce\u002F2.1.2\u002Fincludes.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupport-ticket-system-for-woocommerce\u002F2.1.3\u002Fincludes.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupport-ticket-system-for-woocommerce\u002F2.1.2\u002Fincludes.php\t2025-12-26 20:08:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupport-ticket-system-for-woocommerce\u002F2.1.3\u002Fincludes.php\t2026-01-14 13:52:32.000000000 +0000\n@@ -174,7 +174,7 @@\n \t\u002F**\n \t * Tickets.\n \t *\n-\t * @version 2.0.0\n+\t * @version 2.1.3\n \t *\u002F\n \tpublic function Tickets() {\n \n@@ -200,14 +200,12 @@\n \t\t\t\t'description' => esc_html__('Adding and editing my Tickets','support-ticket-system-for-woocommerce' ),\n \t\t\t\t'menu_icon' => 'dashicons-calendar',\n \t\t\t\t'supports' => array( 'title'),\n-\t\t\t\t'show_in_rest' => true,\n-\t\t\t\t'rest_base' => 'stsw_tickets',\n-\t\t\t\t'rest_controller_class' => 'WP_REST_Posts_Controller',\n+\t\t\t\t'show_in_rest' => false,\n \t\t\t\t'capability_type' => 'page',\n \t\t\t\t'hierarchical' => false,\n \t\t\t\t'menu_position' => null,\n \t\t\t\t'public' => false, \u002F\u002F it's not public, it shouldn't have it's own permalink, and so on\n-\t\t\t\t'publicly_queryable' => true, \u002F\u002F you should be able to query it\n+\t\t\t\t'publicly_queryable' => false,\n \t\t\t\t'show_ui' => true, \u002F\u002F you should be able to edit it in wp-admin\n \t\t\t\t'show_in_menu' => false,\n \t\t\t\t'exclude_from_search' => true, \u002F\u002F you should exclude it from search results","The vulnerability can be exploited in two ways:\n\n1. Information Disclosure: An unauthenticated attacker can retrieve private support ticket information by sending a GET request to the WordPress REST API at `\u002Fwp-json\u002Fwp\u002Fv2\u002Fstsw_tickets`. Because the `stsw_tickets` post type is registered with `show_in_rest => true` and `publicly_queryable => true`, the standard WP_REST_Posts_Controller allows querying these posts even if they are not intended to be public.\n\n2. Unauthorized Action: An unauthenticated attacker can dismiss the plugin's administrative notification transient for all users. This is achieved by sending a POST or GET request to `admin-ajax.php` with the `action` parameter set to `push_not`. The function `push_not` is hooked to `wp_ajax_nopriv_push_not` and lacks any permission or capability checks, directly executing `delete_transient` when called.","gemini-3-flash-preview","2026-04-17 23:57:04","2026-04-17 23:57:54",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupport-ticket-system-for-woocommerce\u002Ftags\u002F2.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupport-ticket-system-for-woocommerce.2.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupport-ticket-system-for-woocommerce\u002Ftags\u002F2.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupport-ticket-system-for-woocommerce.2.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupport-ticket-system-for-woocommerce\u002Ftags"]