SupportCandy Helpdesk and Customer Support Ticket System Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the SupportCandy Helpdesk & Customer Support Ticket System plugin for WordPress, affecting all versions through 3.3.0. The vulnerability arises from inadequate validation of user-controlled keys during file uploads, enabling authenticated attackers to access attachments from support tickets that are not theirs. Furthermore, if an admin permits guest access to tickets, this vulnerability could be exploited by unauthenticated attackers.

Impact

Exploitation of this vulnerability allows for unauthorized access to ticket attachments, potentially leading to the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file to a support ticket. Due to the lack of proper validation, it is possible to manipulate the request to download attachments from other users' tickets. If the 'create ticket' option is enabled for guests, this can be done without authentication.

Remediation

Users are advised to update the SupportCandy Helpdesk & Customer Support Ticket System plugin to version 3.3.1 or later.