Insecure Direct Object Reference in Majestic Support Plugin for WordPress
CVE-2024-13601

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Majestic Support – The Leading-edge Help Desk & Customer Support Plugin
Vendor: CVE Published:; 12 February 2025

Summary

The Majestic Support Plugin for WordPress is susceptible to an Insecure Direct Object Reference, allowing authenticated attackers with Subscriber-level access and above to export ticket data for any user. This vulnerability arises from insufficient validation of a user-controlled key in the 'exportusereraserequest' function present in all versions up to and including 1.0.5. Without proper restrictions, attackers can exploit this flaw to access sensitive information, potentially leading to unauthorized data disclosure.

Affected Version(s)

Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin * <= 1.0.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/majestic-suppo...

https://plugins.trac.wordpress.org/changeset/3231938/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Jan 21, 2025

Credit

Tim Coen