This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **IDOR Vulnerability**: The SupportCandy plugin does not validate the user-controlled `description_attachments` parameter in the `add_reply` function.β¦
π οΈ **Root Cause**: CWE-284 (Insecure Direct Object References). β Lack of permission checks on user-supplied attachment IDs allows arbitrary file association.
Q3Who is affected? (Versions/Components)
β οΈ **Scope**: All versions (including 3.4.4 and earlier). π» Component: WordPress Plugin SupportCandy β Helpdesk & Customer Support Ticket System.
Q4What can hackers do? (Privileges/Data)
π **What Hackers Can Do**: Requires only subscriber-level or higher privileges. π Steal attachments uploaded by others, bind them to their own tickets, enabling data theft and privilege escalation.
Q5Is exploitation threshold high? (Auth/Config)
π **Low Exploitation Barrier**: Only authenticated users (subscriber level or above) are needed. π No special configuration required; attackers can directly submit malicious parameters via the API.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **No Public PoC**: Official data does not provide a PoC. β οΈ No known in-the-wild exploitation reports, but risk is high; immediate remediation is recommended.
Q7How to self-check? (Features/Scanning)
π **Self-Check Method**: Inspect the `class-wpsc-individual-ticket.php` file and locate the `add_reply` function. π Check whether the `description_attachments` parameter validates user permissions.
Q8Is it fixed officially? (Patch/Mitigation)
β **Officially Fixed**: Refer to Trac changeset #3448376. π‘οΈ Patch has been released; upgrade to the latest version.
π₯ **High Priority!** CVSS 3.1 (C:L/I:L/A:N), high risk of data leakage. β οΈ Immediate upgrade or temporary hardening recommended to prevent exploitation.