SupportCandy Helpdesk and Customer Support Ticket System Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the SupportCandy Helpdesk & Customer Support Ticket System plugin for WordPress, affecting all versions through 3.4.4. The vulnerability arises in the 'add_reply' function, where insufficient validation on user-controlled keys allows authenticated attackers with subscriber-level access or higher to manipulate attachment IDs. This exploitation enables them to steal file attachments from other users by reassigning those files to their own tickets, thereby removing access from the original owners.

Impact

Exploitation of this vulnerability allows for unauthorized access to file attachments, enabling an attacker to steal files uploaded by other users.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the 'add_reply' function via AJAX. The request must include arbitrary attachment IDs in the 'description_attachments' parameter. This will reassign the specified attachments to the user's ticket, effectively stealing them from the original owner.

Remediation

Users are advised to update the SupportCandy Helpdesk & Customer Support Ticket System plugin to version 3.4.5 or later.