Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
supportcandy vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2024-27991
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SupportCandy allows Stored XSS.This issue affects SupportCandy: from n/a up to and including 3.2.3.
NA
CVE-2023-2805
The SupportCandy WordPress plugin prior to 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
Supportcandy Supportcandy
NA
CVE-2023-2719
The SupportCandy WordPress plugin prior to 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection exploitable by users with a role as low as Subscriber.
Supportcandy Supportcandy
NA
CVE-2023-1730
The SupportCandy WordPress plugin prior to 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated malicious users to perform SQL injection attacks
Supportcandy Supportcandy
5
CVSSv2
CVE-2021-24839
The SupportCandy WordPress plugin prior to 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions m...
Supportcandy Supportcandy
4.3
CVSSv2
CVE-2021-24843
The SupportCandy WordPress plugin prior to 2.2.7 does not have CRSF check in its wpsc_tickets AJAX action, which could allow malicious users to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action.
Supportcandy Supportcandy
4.3
CVSSv2
CVE-2021-24878
The SupportCandy WordPress plugin prior to 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
Supportcandy Supportcandy
6.8
CVSSv2
CVE-2021-24879
The SupportCandy WordPress plugin prior to 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow malicious users to make a logged in user having access to the ticket lists dashboard set ...
Supportcandy Supportcandy
3.5
CVSSv2
CVE-2021-24880
The SupportCandy WordPress plugin prior to 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
Supportcandy Supportcandy
7.5
CVSSv2
CVE-2019-11223
An Unrestricted File Upload Vulnerability in the SupportCandy plugin up to and including 2.0.0 for WordPress allows remote malicious users to execute arbitrary code by uploading a file with an executable extension.
Supportcandy Supportcandy
1 Github repository
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977
IMAP
local users
CVE-2024-32038
CVE-2023-49963
CVE-2023-22869
CVE-2024-31497
local
CVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started