CVE-2021-24839

Name of the Vulnerable Software and Affected Versions SupportCandy WordPress plugin versions prior to 2.2.5

Description The issue is related to the lack of authorisation and CSRF checks in the wpsc tickets AJAX action, which could allow unauthenticated users to delete arbitrary tickets via the set delete permanently bulk ticket setting action. Other actions may also be affected.

Recommendations For versions prior to 2.2.5, update to version 2.2.5 or later to resolve the issue. As a temporary workaround, consider disabling the wpsc tickets AJAX action until a patch is available. Restrict access to the set delete permanently bulk ticket setting action to minimize the risk of exploitation.