CVE-2021-24878

Name of the Vulnerable Software and Affected Versions SupportCandy WordPress plugin versions prior to 2.2.7

Description The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the plugin does not properly sanitise and escape the query string before outputting it back in pages with the [wpsc create ticket] shortcode embed.

Recommendations For versions prior to 2.2.7, update to version 2.2.7 or later to resolve the issue. As a temporary workaround, consider disabling the [wpsc create ticket] shortcode embed until a patch is available. Restrict access to pages that use this shortcode to minimize the risk of exploitation.