[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTS68K4M76YITodxE0kvtwyYjvQeuKaqQmKxtYOkbclA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25321","supportcandy-helpdesk-customer-support-ticket-system-missing-authorization","SupportCandy – Helpdesk & Customer Support Ticket System \u003C= 3.4.4 - Missing Authorization","The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.4.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.","supportcandy",null,"\u003C=3.4.4","3.4.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-29 00:00:00","2026-05-04 15:39:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd0064a76-3ccc-4dd6-b312-d19abb3944fa?source=api-prod",96,[],"researched",false,3,"This research plan outlines the process for identifying and exploiting the Missing Authorization vulnerability (CVE-2026-25321) in SupportCandy \u003C= 3.4.4.\n\n### 1. Vulnerability Summary\nThe SupportCandy plugin for WordPress fails to implement proper authorization checks (e.g., `current_user_can()`) in one or more of its AJAX handlers. While these handlers may use nonces for CSRF protection, the nonces are often exposed to unauthenticated users, and the functions themselves lack a check to ensure the requester has administrative or agent privileges. This allows unauthenticated attackers to perform actions that should be restricted to support agents or administrators.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action:** Several `wp_ajax_nopriv_wpsc_...` hooks are registered. Based on the \"Missing Authorization\" description, the target is likely an administrative function mistakenly exposed via `nopriv` or a function that fails to validate the user's role before processing sensitive data.\n*   **Likely Target Actions (to be verified):** \n    *   `wpsc_get_ticket_list` (Information disclosure)\n    *   `wpsc_set_ticket_status` (Unauthorized modification)\n    *   `wpsc_export_tickets` (Information disclosure)\n*   **Payload Parameter:** `action`, `nonce`, and action-specific parameters (e.g., `ticket_id`, `status_id`).\n*   **Authentication:** Unauthenticated (AV:N\u002FAC:L\u002FPR:N).\n\n### 3. Code Flow Trace\n1.  **Entry Point:** The plugin registers AJAX hooks in `includes\u002Fclass-supportcandy.php` or a dedicated AJAX loader file (e.g., `includes\u002Fwpsc-ajax-functions.php`).\n    *   *Search Pattern:* `grep -rn \"wp_ajax_nopriv_wpsc_\" .`\n2.  **Hook Registration:** Look for calls like:\n    `add_action( 'wp_ajax_nopriv_wpsc_get_ticket_list', 'wpsc_get_ticket_list' );`\n3.  **Vulnerable Function:** Locate the callback function. \n    *   *Search Pattern:* `function wpsc_get_ticket_list() { ... }`\n4.  **Authorization Sink:** Examine the function body for:\n    *   **Presence of:** `check_ajax_referer( 'wpsc_ajax_nonce', 'nonce' );` (This confirms a nonce is required).\n    *   **Absence of:** `current_user_can( 'wpsc_manage_tickets' )` or `current_user_can( 'manage_options' )`.\n5.  **Execution:** If `current_user_can` is missing, the code proceeds to query the database or modify state based on `$_POST` input.\n\n### 4. Nonce Acquisition Strategy\nSupportCandy localizes its AJAX data, including the nonce, for use in the frontend.\n1.  **Shortcode Identification:** SupportCandy uses the shortcode `[supportcandy]` to render the ticket system.\n2.  **Page Creation:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Support\" --post_status=publish --post_content='[supportcandy]'\n    ```\n3.  **Extraction:** Navigate to the newly created page and extract the `wpsc_ajax` object.\n    *   **JS Variable:** `window.wpsc_ajax` (inferred from SupportCandy common practices).\n    *   **Nonce Key:** `window.wpsc_ajax?.nonce` or `window.wpsc_ajax?.wpsc_ajax_nonce`.\n    *   **Tool Command:** `browser_eval(\"window.wpsc_ajax.nonce\")`\n\n### 5. Exploitation Strategy\nWe will target an information disclosure action to confirm \"unauthorized access.\"\n\n1.  **Step 1: Discover the vulnerable action.** Use `grep` to find all `nopriv` actions that perform sensitive lookups.\n2.  **Step 2: Obtain the Nonce.** Use the browser tool on a page containing the `[supportcandy]` shortcode.\n3.  **Step 3: Craft the Request.** Send a POST request to `admin-ajax.php`.\n\n**Request Template:**\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=wpsc_get_ticket_list&nonce=[EXTRACTED_NONCE]&query=[QUERY_OBJECT]\n    ```\n    *(Note: `query` might be required by SupportCandy to define filters; if unknown, try empty or generic values like `page_no=1&status=all`)*\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `supportcandy` version 3.4.4 is installed.\n2.  **Sample Data:** Create a \"Private\" ticket as an administrator to see if the unauthenticated exploit can retrieve it.\n    ```bash\n    # (Example using SupportCandy CLI logic if available, otherwise via UI\u002FDB)\n    wp post create --post_type=wpsc_ticket --post_title=\"Sensitive Internal Ticket\" --post_status=publish\n    ```\n3.  **Shortcode Page:** Create the page for nonce extraction as described in Section 4.\n\n### 7. Expected Results\n*   **Vulnerable Response:** An HTTP 200 response containing a JSON object or HTML table listing tickets that should not be visible to an unauthenticated visitor.\n*   **Response Content:** Look for strings like `\"ticket_id\"`, `\"subject\"`, or the title of the \"Sensitive Internal Ticket\" created in Step 6.\n\n### 8. Verification Steps\n1.  **HTTP Response Code:** Check for `200 OK`.\n2.  **Body Content:** Validate that the response contains ticket data that belongs to other users or the administrator.\n3.  **Confirm Privilege Level:** Ensure the `http_request` does **not** include any `wordpress_logged_in_` cookies to prove unauthenticated access.\n\n### 9. Alternative Approaches\nIf `wpsc_get_ticket_list` is properly protected, check for other `nopriv` handlers:\n*   **`wpsc_get_field_options`**: Could leak configuration.\n*   **`wpsc_get_user_list`**: Could leak email addresses of customers.\n*   **`wpsc_upload_attachment`**: Check if it allows uploading files without a valid ticket session.\n\n**Grep Command for discovery:**\n```bash\ngrep -r \"wp_ajax_nopriv\" wp-content\u002Fplugins\u002Fsupportcandy\u002F | grep -v \"login\"\n```\nThis will filter for unauthenticated actions that aren't related to standard login flows.","The SupportCandy plugin fails to implement proper authorization checks in several AJAX handlers registered with 'wp_ajax_nopriv_'. This allows unauthenticated attackers to trigger sensitive actions, such as retrieving ticket lists or modifying ticket data, by exploiting nonces that are publicly exposed on pages containing the plugin's shortcode.","\u002F\u002F File: includes\u002Fclass-wpsc-ajax.php (approximate path based on plugin structure)\n\nadd_action( 'wp_ajax_nopriv_wpsc_get_ticket_list', 'wpsc_get_ticket_list' );\nadd_action( 'wp_ajax_wpsc_get_ticket_list', 'wpsc_get_ticket_list' );\n\nfunction wpsc_get_ticket_list() {\n    \u002F\u002F Nonce check exists, but is insufficient as nonces are exposed to all visitors\n    check_ajax_referer( 'wpsc_ajax_nonce', 'nonce' );\n\n    \u002F\u002F Vulnerability: Missing current_user_can() or role-based check\n    $query = isset($_POST['query']) ? $_POST['query'] : array();\n    $tickets = WPSC_Ticket::get_tickets( $query );\n\n    wp_send_json_success( $tickets );\n    wp_die();\n}","--- a\u002Fincludes\u002Fclass-wpsc-ajax.php\n+++ b\u002Fincludes\u002Fclass-wpsc-ajax.php\n@@ -10,6 +10,11 @@\n function wpsc_get_ticket_list() {\n     check_ajax_referer( 'wpsc_ajax_nonce', 'nonce' );\n \n+    if ( ! current_user_can( 'wpsc_manage_tickets' ) && ! is_user_logged_in() ) {\n+        wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );\n+        wp_die();\n+    }\n+\n     $query = isset($_POST['query']) ? $_POST['query'] : array();\n     $tickets = WPSC_Ticket::get_tickets( $query );","1. Identify a public-facing page on the target WordPress site that utilizes the [supportcandy] shortcode (e.g., the support portal or ticket submission page).\n2. Inspect the page source or use browser developer tools to extract the 'wpsc_ajax' JavaScript object, specifically the 'nonce' value (usually 'wpsc_ajax_nonce').\n3. Construct an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n4. Set the 'action' parameter to a vulnerable handler (e.g., 'wpsc_get_ticket_list') and include the extracted 'nonce'.\n5. Include any necessary query parameters (like page numbers or filters) in the POST body.\n6. Execute the request to receive a JSON response containing sensitive ticket data or performing restricted modifications, bypassing administrative role requirements.","gemini-3-flash-preview","2026-05-04 20:57:23","2026-05-04 20:59:16",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags\u002F3.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupportcandy.3.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags\u002F3.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsupportcandy.3.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsupportcandy\u002Ftags"]