HAPPY Helpdesk Support Ticket System Authorization Bypass Vulnerability in WordPress

A vulnerability exists in the HAPPY – Helpdesk Support Ticket System plugin for WordPress, specifically in versions through 1.0.9. The issue arises from a missing capability check on the 'submit_form_reply' AJAX action, allowing authenticated attackers with Subscriber-level access and above to bypass authorization. Exploitation involves manipulating the 'happy_topic_id' parameter to submit replies to arbitrary support tickets, regardless of ticket ownership or assignment.

Impact

Exploitation of this vulnerability allows for unauthorized replies to be sent on behalf of the attacker to any support ticket, potentially disrupting ticket management and communication.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'submit_form_reply' AJAX action. The request must include the 'happy_topic_id' parameter, which can be manipulated to target any support ticket. The absence of a proper capability check allows the reply to be submitted, even if the user is not the ticket owner or assigned to the ticket.

Remediation

Users are advised to update the HAPPY – Helpdesk Support Ticket System plugin to version 1.0.10 or later, where this vulnerability has been patched.