CVE-2023-49757 - Unpacking the Missing Authorization Flaw in Awesome Support (≤6.1.10)

Awesome Support is a popular support ticket system for WordPress, used by thousands to manage customer requests. But in December 2023, a critical security weakness surfaced: CVE-2023-49757. This post will break down what the vulnerability is, how it could be exploited, show a sample code snippet, and offer resources for anyone who wants the full technical scoop.

What is CVE-2023-49757?

In plain terms, CVE-2023-49757 is a "Missing Authorization" issue. That means some sensitive features in Awesome Support could be accessed by users who aren’t supposed to. Specifically, if certain access controls aren’t set up right, attackers—or even just random users—can perform admin-like actions without permission.

Affected versions:
All Awesome Support versions up to and including 6.1.10.

Why Does This Happen?

Awesome Support depends on its own security levels and role settings to restrict who can do what. But due to a flaw in the way it checks permissions for some actions, users might be able to:

Even delete or create new tickets, depending on the configuration

This is especially risky for sites with custom role setups or where the plugin’s security settings weren’t double-checked after updating.

How Attackers Exploit It

Let’s imagine a ticket update endpoint like /wp-admin/admin-ajax.php?action=update_ticket. Normally, this call should check: "Is this user allowed to update this ticket?" With this vulnerability, that check might not be strong enough.

An attacker could do something like the following (pseudocode)

<?php
// Assume $ticket_id comes from user input (POST/GET)
$ticket_id = $_POST['ticket_id'];
$new_status = 'closed';

// The vulnerable call: lacks robust user permission check
update_ticket_status($ticket_id, $new_status);

// What SHOULD happen is a strict check, like:
if (!current_user_can('manage_ticket', $ticket_id)) {
    die('Unauthorized');
}
?>

Any user (even *not* logged in) could potentially send a crafted request

curl -X POST \
  -d "action=update_ticket" \
  -d "ticket_id=1234" \
  -d "new_status=closed" \
  https://target-site.com/wp-admin/admin-ajax.php

If the site is vulnerable, this would close a ticket without permission.

Real WordPress Attack Scenario

Bad actors could write a simple script to loop through ticket IDs and steal ticket details, or spam-close tickets site-wide. If your site is public, attackers could scrape private client data.

How to Fix

Official fix: Upgrade to Awesome Support 6.1.11 or later.

Thoroughly review the Awesome Support permission settings.

- Consider using a WordPress security plugin like Wordfence.

References and Links

- Original CVE Report (mitre.org)
- Plugin News – Patch Announcement (WordPress.org)
- Vendor Disclosure

Summary

CVE-2023-49757 shows how even mature, trusted plugins can become a risk through overlooked access control. If you rely on Awesome Support for your customer ticketing, upgrade ASAP, audit your WordPress roles, and be vigilant for abnormal ticket activity.

*Keep your clients' data— and your peace of mind— safe!*


Got questions? Drop them in the comments below, or check the GitHub issue tracker for more details.

Timeline

Published on: 12/09/2024 13:15:35 UTC