CVE-2021-24878
published 2022-02-07CVE-2021-24878: The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket]…
PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.17%
63.3th percentile
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| supportcandy | supportcandy | < 2.2.7 | 2.2.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Probe for reflected XSS by sending a GET request with the payload `/?};alert(1)//` to pages embedding the [wpsc_create_ticket] shortcode; a vulnerable response will contain the string `var attrs = {};alert(1)//:` and the token `wpsc_create_ticket_init` in the HTML body with HTTP 200 and Content-Type text/html. ↗
- →Fingerprint exposed SupportCandy installations by searching for the path `/wp-content/plugins/supportcandy/` in HTTP response bodies. ↗
- →The vulnerability is triggered only on pages that embed the [wpsc_create_ticket] shortcode; confirm presence of `wpsc_create_ticket_init` in the response to validate the attack surface. ↗
- ·The reflected XSS payload is injected via the raw query string (not a named parameter); the unsanitised query string is reflected inside a JavaScript `var attrs = ...` assignment, so the injection breaks out of the object literal context. ↗
- ·Only plugin versions strictly before 2.2.7 are vulnerable; version 2.2.7 and later contain the fix. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w9r7-4qpm-xxc5: The SupportCandy WordPress plugin before 2
ghsa_unreviewed·2022-02-08
CVE-2021-24878 [MEDIUM] CWE-79 GHSA-w9r7-4qpm-xxc5: The SupportCandy WordPress plugin before 2
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
VulnCheck
supportcandy supportcandy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-24878 [MEDIUM] supportcandy supportcandy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
supportcandy supportcandy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
Affected: supportcandy supportcandy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/supportcandy/supportcandy-226-reflected-cross-site-scripting
No detection rules found.
Nuclei
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-24878 [MEDIUM] SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
Template:
id: CVE-2021-24878
info:
name: SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
author: popcorn94
severity: medium
description: |
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
impact: |
Attackers can inject malicious JavaScript via reflected XSS in pages with wpsc_create_ticket shortcode, potentially stealing user session
No writeups or analysis indexed.
2022-02-07
Published
Exploited in the wild