cbcvebase.
CVE-2021-24878
published 2022-02-07

CVE-2021-24878: The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket]…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.17%
63.3th percentile
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue

Affected

1 ranges
VendorProductVersion rangeFixed in
supportcandysupportcandy< 2.2.72.2.7

Detection & IOCsextracted from sources · hover to see the quote

url/?};alert(1)//
othervar attrs = {};alert(1)//:
otherwpsc_create_ticket_init
path/wp-content/plugins/supportcandy/
  • Probe for reflected XSS by sending a GET request with the payload `/?};alert(1)//` to pages embedding the [wpsc_create_ticket] shortcode; a vulnerable response will contain the string `var attrs = {};alert(1)//:` and the token `wpsc_create_ticket_init` in the HTML body with HTTP 200 and Content-Type text/html.
  • Fingerprint exposed SupportCandy installations by searching for the path `/wp-content/plugins/supportcandy/` in HTTP response bodies.
  • The vulnerability is triggered only on pages that embed the [wpsc_create_ticket] shortcode; confirm presence of `wpsc_create_ticket_init` in the response to validate the attack surface.
  • ·The reflected XSS payload is injected via the raw query string (not a named parameter); the unsanitised query string is reflected inside a JavaScript `var attrs = ...` assignment, so the injection breaks out of the object literal context.
  • ·Only plugin versions strictly before 2.2.7 are vulnerable; version 2.2.7 and later contain the fix.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.