CVE-2024-0595 — Missing Authorization in Awesome Support

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 70.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Getawesomesupport Awesome Support Awesomesupport Awesome Support Wordpress Helpdesk Support Plugin

Timeline

PublishedFeb 10

Description

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpas_get_users() function hooked via AJAX in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve user data such as emails. CVE-2024-35741 is likely a duplicate of this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5awesomesupport/awesome_support_wordpress_helpdesk_support_plugin6.1.7

▶NVDgetawesomesupport/awesome_support< 6.1.8

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-rpr9-6rwm-4w63: The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check↗2024-02-10

▶

CVEList

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 - Missing Authorization via wpas_get_users()↗2024-02-10

▶