CVE-2024-13552

Name of the Vulnerable Software and Affected Versions SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress versions prior to 3.3.1

Description The issue allows authenticated attackers to download attachments for support tickets that do not belong to them due to missing validation on a user-controlled key. If an admin enables tickets for guests, this can be exploited by unauthenticated attackers.

Recommendations For versions prior to 3.3.1, update to version 3.3.1 or later to resolve the issue. As a temporary workaround, consider disabling the file upload feature until a patch is available. Restrict access to sensitive support tickets and attachments to minimize the risk of exploitation. Avoid enabling tickets for guests unless necessary, and implement additional access controls to mitigate the risk of unauthenticated attackers exploiting this issue.