Authenticated Attackers Can Modify Tickets and Lose Data Due to Security Vulnerability
CVE-2024-8548

8.1HIGH

Key Information:

Vendor
Wordpress
Status
Kb Support – WordPress Help Desk And Knowledge Base
Vendor
CVE Published:
1 October 2024

Summary

The KB Support – WordPress Help Desk and Knowledge Base plugin is susceptible to a vulnerability that enables authenticated users, including those with Subscriber-level access and above, to execute unauthorized administrative actions. This vulnerability is caused by a missing capability check in several functions, leading to potential data loss and unauthorized changes. Attackers can respond to arbitrary support tickets, alter post statuses, delete posts, append notes to tickets, manipulate ticket statuses, and control ticket participants. As such, this vulnerability poses significant risks to user data integrity and overall plugin functionality.

Affected Version(s)

KB Support – WordPress Help Desk and Knowledge Base * <= 1.6.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/kb-support/tru...
https://plugins.trac.wordpress.org/browser/kb-support/tru...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Krzysztof Zając
.