CVE-2023-2805

Name of the Vulnerable Software and Affected Versions SupportCandy WordPress plugin versions prior to 3.1.7

Description The issue arises from the improper sanitization and escaping of the agents[] parameter in the set add agent leaves AJAX function, which is then used in a SQL statement. This leads to a SQL injection that can be exploited by high-privilege users, such as administrators.

Recommendations For versions prior to 3.1.7, update to version 3.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the set add agent leaves AJAX function until a patch is applied.