[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fw8__8aZ_bD8-mfHW9pAwF03Iv0x9rAW1iT7B8DkU1yc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1251","supportcandy-helpdesk-customer-support-ticket-system-authenticated-subscriber-insecure-direct-object-reference","SupportCandy – Helpdesk & Customer Support Ticket System \u003C= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference","The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners.","supportcandy",null,"\u003C=3.4.4","3.4.5","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-01-23 00:00:00","2026-01-31 06:39:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F89df3005-0967-474f-8a4e-3b23273dd1a2?source=api-prod",8,[],"researched",false,3,"This research plan outlines the steps to exploit a confirmed Insecure Direct Object Reference (IDOR) vulnerability in the SupportCandy WordPress plugin.\n\n## 1. Vulnerability Summary\nThe SupportCandy plugin (\u003C= 3.4.4) is vulnerable to an IDOR in the `add_reply` function. This occurs because the function accepts an array of attachment IDs via the `description_attachments` parameter without verifying that the current user has ownership or authorization over those specific attachments. An attacker can provide IDs of files uploaded by other users, causing the plugin to re-assign those files to the attacker’s ticket, thereby stealing access and potentially removing access from the original owner.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `wpsc_add_reply` (inferred from plugin naming conventions and function name)\n- **Vulnerable Parameter:** `description_attachments` (can be an array or comma-separated string of attachment IDs)\n- **Authentication:** Authenticated (Subscriber or higher). The attacker must have permission to create or reply to tickets (default behavior for SupportCandy users).\n- **Preconditions:** \n    1. The attacker must know or guess the ID of a target attachment (usually a standard WordPress media\u002Fattachment post ID).\n    2. The attacker must have at least one active ticket to which they can add a reply.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The AJAX action `wp_ajax_wpsc_add_reply` triggers the handler (likely inside `class-wpsc-tickets.php` or an AJAX controller).\n2. **Authorization Check:** The plugin checks if the user is logged in and perhaps if they have access to the `ticket_id` provided in the request.\n3. **Processing Attachments:** The code iterates through the IDs provided in the `description_attachments` parameter.\n4. **Sink:** The plugin performs a database update (likely changing the `post_parent` of the attachment or updating a custom `wpsc` attachment mapping table) to link the attachment to the new reply\u002Fticket.\n5. **Vulnerability:** There is no check (e.g., `if (get_post_field('post_author', $attachment_id) == get_current_user_id())`) before performing the re-association.\n\n## 4. Nonce Acquisition Strategy\nSupportCandy heavily relies on localized JavaScript objects to store nonces and AJAX URLs.\n\n1. **Shortcode Identification:** SupportCandy typically uses the `[supportcandy]` shortcode to render the customer portal.\n2. **Page Creation:**\n   ```bash\n   wp post create --post_type=page --post_title=\"Support\" --post_status=publish --post_content='[supportcandy]'\n   ```\n3. **Navigation:** Navigate to the newly created page as a logged-in Subscriber.\n4. **Nonce Extraction:** SupportCandy usually localizes data into a global object.\n   - **Target Variable:** `window.wpsc_ajax_common?.nonce` or `window.wpsc_ticket_list?.nonce` (inferred).\n   - **Command:** `browser_eval(\"window.wpsc_ajax_common.nonce\")`\n5. **Alternative:** If the nonce is per-ticket, navigate to a specific ticket the attacker owns and look for localized data related to that ticket.\n\n## 5. Exploitation Strategy\n\n### Step 1: Preliminary Data Gathering\n- Create a **Victim** (Subscriber) and an **Attacker** (Subscriber).\n- **Victim** creates a ticket and uploads a file (e.g., `secret.txt`).\n- **Attacker** creates a ticket.\n- Note the `attachment_id` of the Victim's file (via `wp-cli` for the PoC).\n\n### Step 2: The Attack Request\nThe attacker sends an AJAX request to re-associate the Victim's attachment with the Attacker's ticket.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Payload:**\n  ```text\n  action=wpsc_add_reply&\n  ticket_id=[ATTACKER_TICKET_ID]&\n  description=Stealing+your+files&\n  description_attachments[]=[VICTIM_ATTACHMENT_ID]&\n  wpsc_nonce=[EXTRACTED_NONCE]\n  ```\n\n### Step 3: Result Analysis\nIf successful, the plugin response will indicate a successful reply addition. The Victim's attachment will now be linked to the Attacker's ticket.\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Install and activate `supportcandy` version 3.4.4.\n2. **Enable Attachments:** Ensure ticket attachments are enabled in SupportCandy settings.\n3. **Users:**\n   - Create user `victim` (Subscriber).\n   - Create user `attacker` (Subscriber).\n4. **Victim Ticket:** \n   - Log in as `victim`.\n   - Create a ticket.\n   - Upload a file (ID `123`).\n5. **Attacker Ticket:**\n   - Log in as `attacker`.\n   - Create a ticket (ID `456`).\n6. **Portal Page:** Create a page with `[supportcandy]` to facilitate nonce retrieval.\n\n## 7. Expected Results\n- The HTTP response for the `wpsc_add_reply` action returns a success code (JSON `{\"success\": true}`).\n- The attachment previously owned\u002Fviewable by the Victim is now listed as an attachment on the Attacker's ticket.\n- The Victim may no longer see the attachment on their own ticket, or it may appear as \"broken\" if the relationship is exclusive.\n\n## 8. Verification Steps\nAfter the exploit, use `wp-cli` to verify the IDOR:\n\n1. **Check Attachment Parent:**\n   ```bash\n   wp post get [VICTIM_ATTACHMENT_ID] --field=post_parent\n   ```\n   *Expected:* The `post_parent` should now be the ID of the Attacker's reply or ticket, not the Victim's.\n\n2. **Check Meta\u002FCustom Tables:**\n   If SupportCandy uses a custom table (e.g., `wp_wpsc_attachments`), query it:\n   ```bash\n   wp db query \"SELECT * FROM wp_wpsc_attachments WHERE attachment_id = [VICTIM_ATTACHMENT_ID]\"\n   ```\n   *Expected:* The `ticket_id` column should reflect the Attacker's ticket ID.\n\n## 9. Alternative Approaches\n- **Bulk Stealing:** Provide a list of attachment IDs in the `description_attachments[]` array to steal multiple files at once.\n- **Unauthorized Deletion:** Check if re-associating an attachment \"removes\" it from the original ticket, effectively performing an unauthorized deletion\u002Fmove.\n- **Different Entry Points:** Check the `wpsc_create_ticket` action for the same `description_attachments` parameter vulnerability. If an attacker can specify attachments during ticket *creation*, the logic may be identical.","The SupportCandy plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via the 'add_reply' function. Authenticated attackers with subscriber-level access can supply arbitrary attachment IDs in the 'description_attachments' parameter to re-associate files uploaded by other users to their own tickets, thereby gaining unauthorized access to sensitive documents.","\u002F\u002F Inferred from plugin logic in class-wpsc-tickets.php\npublic function wpsc_add_reply() {\n    \u002F\u002F ... (logic to verify ticket ownership of the ticket being replied to) ...\n\n    if ( isset( $_POST['description_attachments'] ) && ! empty( $_POST['description_attachments'] ) ) {\n        $attachments = (array) $_POST['description_attachments'];\n        foreach ( $attachments as $attachment_id ) {\n            \u002F\u002F VULNERABILITY: No check to ensure the current user owns this attachment_id\n            \u002F\u002F before re-parenting it to the new reply.\n            wp_update_post( array(\n                'ID'          => intval( $attachment_id ),\n                'post_parent' => $reply_id,\n            ) );\n        }\n    }\n}","--- a\u002Fincludes\u002Fclass-wpsc-tickets.php\n+++ b\u002Fincludes\u002Fclass-wpsc-tickets.php\n@@ -102,6 +102,12 @@\n \n     if ( isset( $_POST['description_attachments'] ) && ! empty( $_POST['description_attachments'] ) ) {\n         $attachments = (array) $_POST['description_attachments'];\n+        $current_user_id = get_current_user_id();\n         foreach ( $attachments as $attachment_id ) {\n+            $attachment = get_post( $attachment_id );\n+            if ( ! $attachment || intval( $attachment->post_author ) !== $current_user_id ) {\n+                continue;\n+            }\n             wp_update_post( array(\n                 'ID'          => intval( $attachment_id ),\n                 'post_parent' => $reply_id,","1. The attacker logs into the WordPress site as a Subscriber or any role with ticket access.\n2. The attacker identifies a target attachment ID belonging to another user (e.g., via enumeration or predictive IDs).\n3. The attacker navigates to the SupportCandy portal to extract a valid AJAX nonce, typically found in the localized 'wpsc_ajax_common' JavaScript object.\n4. The attacker crafts a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'wpsc_add_reply'.\n5. The payload includes a 'ticket_id' belonging to the attacker and the victim's attachment ID inside the 'description_attachments[]' array.\n6. The server processes the request and re-assigns the victim's attachment to the attacker's ticket, allowing the attacker to view or download the file from their own ticket interface.","gemini-3-flash-preview","2026-05-05 02:01:37","2026-05-05 02:03:24",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags\u002F3.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupportcandy.3.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags\u002F3.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupportcandy.3.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags"]