[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyk3jBLdx-fmCamthZ9Yi8N8j9Da-EZwie2iExquTIss":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-54826","supportcandy-helpdesk-customer-support-ticket-system-authenticated-subscriber-insecure-direct-object-reference-2","SupportCandy – Helpdesk & Customer Support Ticket System \u003C= 3.4.6 - Authenticated (Subscriber+) Insecure Direct Object Reference","The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.6 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","supportcandy",null,"\u003C=3.4.6","3.4.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-17 00:00:00","2026-06-25 14:07:18",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcf2c451d-a30c-4c0f-9cf0-6361f6b1913c?source=api-prod",9,[22,23,24,25,26,27,28,29],"asset\u002Fjs\u002Fadmin.js","changelog.txt","class-wpsc-installation.php","framework\u002Fclass-wpsc-framework.php","framework\u002Fscripts.js","framework\u002Fstyle-rtl.css","framework\u002Fstyle.css","i18n\u002Fsupportcandy.pot","researched",false,3,"This research plan focuses on an **Authenticated Insecure Direct Object Reference (IDOR)** vulnerability in SupportCandy (\u003C= 3.4.6). The vulnerability allows a user with **Subscriber-level access** (typically a \"Customer\" in SupportCandy) to perform unauthorized actions, specifically modifying or closing tickets belonging to other users, due to a failure in the backend to verify ticket ownership.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Insecure Direct Object Reference (IDOR).\n*   **Affected Component:** AJAX actions that process ticket-related tasks, specifically `wpsc_it_close_ticket`.\n*   **Cause:** The plugin validates the existence of a WordPress nonce but fails to verify if the `ticket_id` provided in the request belongs to the authenticated user's `customer_id`.\n*   **Impact:** Integrity modification (`I:L`). An attacker can close tickets belonging to any other user if they know the `ticket_id`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `wpsc_it_close_ticket`\n*   **Vulnerable Parameter:** `ticket_id`\n*   **Authentication:** Authenticated (Subscriber+)\n*   **Preconditions:** The attacker must be logged in as a Subscriber (Customer) and have the ID of a victim's ticket.\n\n### 3. Code Flow\n1.  **Entry Point:** The client sends a POST request to `admin-ajax.php` with `action=wpsc_it_close_ticket`.\n2.  **JS Implementation (`framework\u002Fscripts.js`):**\n    ```javascript\n    function wpsc_it_close_ticket(ticket_id, nonce) {\n      \u002F\u002F ... confirms and checks for draft reply ...\n      var data = { action: \"wpsc_it_close_ticket\", ticket_id, _ajax_nonce: nonce };\n      jQuery.post(supportcandy.ajax_url, data, function (response) { ... });\n    }\n    ```\n3.  **Backend Processing:** The backend handler for `wpsc_it_close_ticket` likely calls `check_ajax_referer('wpsc_it_close_ticket', '_ajax_nonce')`.\n4.  **Vulnerable Sink:** After nonce verification, the code proceeds to update the status of `ticket_id` in the `psmsc_tickets` table without checking if the current user is the \"customer\" associated with that ticket.\n\n### 4. Nonce Acquisition Strategy\nSupportCandy uses localized objects for its nonces. Since the attacker is an authenticated Subscriber, they can obtain a valid nonce for the `wpsc_it_close_ticket` action by interacting with their own ticket.\n\n1.  **Create a Personal Ticket:** The attacker creates a legitimate ticket to gain access to the ticket-viewing interface.\n2.  **Access Ticket UI:** Navigate to the page containing the `[supportcandy]` shortcode.\n3.  **Extract Nonce:**\n    *   The nonce for specific ticket actions is often localized in the `supportcandy` object or embedded in the \"Close\" button's attributes.\n    *   **Strategy:** Use `browser_eval` to extract the general nonce from the `supportcandy` object or locate the \"Close\" button for the attacker's own ticket and parse its `onclick` handler.\n    *   **Variable:** `window.supportcandy?.nonce` (General nonce) or specific action nonces found in the DOM.\n\n### 5. Exploitation Strategy\nThe exploit will demonstrate closing a victim's ticket from a Subscriber account.\n\n**Step-by-Step:**\n1.  **Preparation:** Identify a Victim ticket ID (e.g., `1`).\n2.  **Session Initiation:** Log in as the Attacker (Subscriber).\n3.  **Nonce Retrieval:**\n    *   Navigate to the SupportCandy portal.\n    *   Create a dummy ticket (e.g., ID `2`).\n    *   View the dummy ticket.\n    *   Extract the nonce for the `wpsc_it_close_ticket` action.\n4.  **Forged Request:** Send a POST request via the `http_request` tool targeting the victim's ticket ID.\n\n**HTTP Request Payload:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=wpsc_it_close_ticket&ticket_id=[VICTIM_TICKET_ID]&_ajax_nonce=[ATTACKER_NONCE]\n    ```\n\n### 6. Test Data Setup\n1.  **Victim User:** Create a user `victim_user` (Subscriber).\n2.  **Attacker User:** Create a user `attacker_user` (Subscriber).\n3.  **Victim Ticket:** Log in as `victim_user` and create a ticket with subject \"Confidential Issue\". Note the ID.\n4.  **Portal Page:** Create a WordPress page with the shortcode `[supportcandy]` so the UI is accessible.\n\n### 7. Expected Results\n*   **Response:** The server returns a success response (typically empty or a small HTML fragment\u002FJSON).\n*   **Database Change:** The status of the victim's ticket in the `psmsc_tickets` table changes to the ID corresponding to \"Closed\" (often `3` or `4` depending on configuration).\n\n### 8. Verification Steps\n1.  **Check Ticket Status via WP-CLI:**\n    ```bash\n    # Query the psmsc_tickets table for the victim's ticket status\n    wp db query \"SELECT status FROM wp_psmsc_tickets WHERE id = [VICTIM_TICKET_ID]\"\n    ```\n2.  **Confirm Status:** Compare the status ID before and after the attack. A change indicates a successful IDOR.\n\n### 9. Alternative Approaches\n*   **Action `wpsc_it_get_duplicate_ticket`:** If closing is not possible, check if a Subscriber can duplicate any ticket ID, which might reveal contents in the duplication form (`I:L`, potentially `C:L`).\n*   **Action `wpsc_get_individual_ticket`:** Check if this action (which `asset\u002Fjs\u002Fadmin.js` shows has no nonce","The SupportCandy plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to 3.4.6. This allows authenticated attackers with Subscriber-level access (customers) to perform unauthorized actions, such as closing tickets belonging to other users, because the plugin fails to verify ticket ownership before processing AJAX requests.","\u002F\u002F framework\u002Fscripts.js @ 3.4.6\n\u002F**\n * Get close current ticket modal UI\n *\u002F\nfunction wpsc_it_close_ticket(ticket_id, nonce) {\n  if (wpsc_is_description_text()) {\n    if (!confirm(supportcandy.translations.warning_message)) return;\n  }\n\n  var flag = confirm(supportcandy.translations.confirm);\n  if (flag) {\n    if (wpsc_is_description_text()) {\n      wpsc_clear_saved_draft_reply(ticket_id);\n    }\n  } else {\n    return;\n  }\n\n  \u002F\u002F Vulnerable action: Sends ticket_id and nonce without sufficient backend ownership validation\n  var data = { action: \"wpsc_it_close_ticket\", ticket_id, _ajax_nonce: nonce };\n  jQuery.post(supportcandy.ajax_url, data, function (response) {\n    wpsc_run_ajax_background_process();\n    wpsc_after_close_ticket(ticket_id);\n  });\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupportcandy\u002F3.4.6\u002Fasset\u002Fjs\u002Fadmin.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupportcandy\u002F3.4.7\u002Fasset\u002Fjs\u002Fadmin.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupportcandy\u002F3.4.6\u002Fasset\u002Fjs\u002Fadmin.js\t2026-03-23 04:55:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupportcandy\u002F3.4.7\u002Fasset\u002Fjs\u002Fadmin.js\t2026-05-26 07:12:22.000000000 +0000\n@@ -3600,6 +3600,59 @@\n }\n \n \u002F**\n+ * Get edit Agent Collision widget\n+ *\u002F\n+function wpsc_get_tw_agent_collision() {\n+\n+\twpsc_show_modal();\n+\tvar data = { action: 'wpsc_get_tw_agent_collision' };\n+\tjQuery.post(\n+\t\tsupportcandy.ajax_url,\n+\t\tdata,\n+\t\tfunction (response) {\n+\n+\t\t\t\u002F\u002F Set to modal.\n+\t\t\tjQuery( '.wpsc-modal-header' ).text( response.title );\n+\t\t\tjQuery( '.wpsc-modal-body' ).html( response.body );\n+\t\t\tjQuery( '.wpsc-modal-footer' ).html( response.footer );\n+\t\t\t\u002F\u002F Display modal.\n+\t\t\twpsc_show_modal_inner_container();\n+\t\t}\n+\t);\n+}\n+\n+\u002F**\n+ * Set edit Agent Collision widget\n+ *\u002F\n+function wpsc_set_tw_agent_collision(el) {\n+\tvar form     = jQuery( '.wpsc-frm-edit-ac' )[0];\n+\tvar dataform = new FormData( form );\n+\t\n+\tif (dataform.get( 'label' ).trim() == '') {\n+\t\talert( supportcandy.translations.req_fields_missing );\n+\t\treturn;\n+\t}\n+\t\n+\tjQuery( '.wpsc-modal-footer button' ).attr( 'disabled', true );\n+\tjQuery( el ).text( supportcandy.translations.please_wait );\n+\n+\tjQuery.ajax(\n+\t\t{\n+\t\t\turl: supportcandy.ajax_url,\n+\t\t\ttype: 'POST',\n+\t\t\tdata: dataform,\n+\t\t\tprocessData: false,\n+\t\t\tcontentType: false\n+\t\t}\n+\t).done(\n+\t\tfunction (res) {\n+\t\t\twpsc_close_modal();\n+\t\t\twpsc_get_ticket_widget();\n+\t\t}\n+\t);\n+}\n+\n+\u002F**\n  * Ticket widget status\n  *\u002F\n function wpsc_get_tw_ticket_status() {\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupportcandy\u002F3.4.6\u002Fchangelog.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupportcandy\u002F3.4.7\u002Fchangelog.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupportcandy\u002F3.4.6\u002Fchangelog.txt\t2026-03-24 07:33:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsupportcandy\u002F3.4.7\u002Fchangelog.txt\t2026-05-26 07:12:22.000000000 +0000\n@@ -1,5 +1,12 @@\n == Changelog ==\n \n+= 3.4.7 (May 26, 2026) =\n+* New: Option to disable email notifications for specific tickets\n+* New: Improved form validation to highlight incomplete fields on submission\n+* New: Agent collision widget added\n+* Fix: Security vulnerability resolved\n+* Fix: Email notifications not sent to agents assigned via workflows\n+\n = 3.4.6 (March 23, 2026) =\n * New: Added Merge Ticket feature (Pro) in Productivity Suite.\n * New: Added AI Assistant feature (Pro) in Productivity Suite.","1. Identification: The attacker identifies a target ticket ID belonging to another user.\n2. Nonce Acquisition: The attacker logs into their own Subscriber account and creates or views their own ticket to extract a valid AJAX nonce for the `wpsc_it_close_ticket` action from the localized `supportcandy` JavaScript object or the ticket UI.\n3. Payload Construction: The attacker prepares an unauthenticated AJAX request targeting `\u002Fwp-admin\u002Fadmin-ajax.php`.\n4. Execution: The attacker sends a POST request with the following body: `action=wpsc_it_close_ticket&ticket_id=[VICTIM_ID]&_ajax_nonce=[ATTACKER_NONCE]`.\n5. Outcome: Because the backend handler (e.g., in `includes\u002Fadmin\u002Ftickets\u002Fclass-wpsc-individual-ticket.php`) validates the nonce but fails to verify that the requesting user's `customer_id` matches the `customer` field of the ticket, the victim's ticket is closed.","gemini-3-flash-preview","2026-06-25 23:01:37","2026-06-25 23:02:33",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.4.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags\u002F3.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupportcandy.3.4.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags\u002F3.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupportcandy.3.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags"]