CVE-2021-24879

Name of the Vulnerable Software and Affected Versions SupportCandy WordPress plugin versions prior to 2.2.7

Description The issue concerns a lack of CSRF check in the wpsc tickets AJAX action and insufficient sanitisation or escaping in some filter fields. This could allow attackers to make a logged-in user with access to the ticket lists dashboard set an arbitrary filter, stored in their cookies, with an XSS payload.

Recommendations For versions prior to 2.2.7, update to version 2.2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the wpsc tickets AJAX action until a patch is available. Additionally, avoid using the filter fields in the ticket lists dashboard until the issue is resolved.