CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48324 – WordPress Awesome Support HelpDesk plugin <= 6.1.4 - Broken Access control vulnerability
https://notcve.org/view.php?id=CVE-2023-48324
23 Nov 2023 — Missing Authorization vulnerability in Awesome Support Team Awesome Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Awesome Support: from n/a through 6.1.4. The Awesome Support plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpas_edit_reply_ajax() function in versions up to, and including, 6.1.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to edi... • https://patchstack.com/database/wordpress/plugin/awesome-support/vulnerability/wordpress-awesome-support-helpdesk-plugin-6-1-4-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5352 – Awesome Support < 6.1.5 - Insufficient permission check in wpas_edit_reply
https://notcve.org/view.php?id=CVE-2023-5352
16 Oct 2023 — The Awesome Support WordPress plugin before 6.1.5 does not correctly authorize the wpas_edit_reply function, allowing users to edit posts for which they do not have permission. El complemento Awesome Support de WordPress anterior a 6.1.5 no autoriza correctamente la función wpas_edit_reply, lo que permite a los usuarios editar publicaciones para las que no tienen permiso. The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to ... • https://wpscan.com/vulnerability/d32b2136-d923-4f36-bd76-af4578deb23b • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5354 – Awesome Support < 6.1.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-5354
16 Oct 2023 — The Awesome Support WordPress plugin before 6.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. El complemento Awesome Support de WordPress anterior a 6.1.5 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera un Cross-Site Scripting (XSS) Reflejado que podría usarse contra usuarios con privilegios elevados, como el administrador. The Awes... • https://wpscan.com/vulnerability/aa380524-031d-4e49-9d0b-96e62d54557f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5355 – Awesome Support < 6.1.5 - Submitter+ Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-5355
16 Oct 2023 — The Awesome Support WordPress plugin before 6.1.5 does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server. El complemento Awesome Support de WordPress anterior a 6.1.5 no sanitiza las rutas de los archivos al eliminar archivos adjuntos temporales, lo que permite al remitente del ticket eliminar archivos arbitrarios en el servidor. The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to ... • https://wpscan.com/vulnerability/d6f7faca-dacf-4455-a837-0404803d0f25 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3511 – Awesome Support < 6.1.2 - Subscriber+ Arbitrary Exported Tickets Download
https://notcve.org/view.php?id=CVE-2022-3511
07 Nov 2022 — The Awesome Support WordPress plugin before 6.1.2 does not ensure that the exported tickets archive to be downloaded belongs to the user making the request, allowing a low privileged user, such as subscriber to download arbitrary exported tickets via an IDOR vector El complemento Awesome Support de WordPress anterior a 6.1.2 no garantiza que el archivo de tickets exportados que se descargará pertenezca al usuario que realiza la solicitud, lo que permite a un usuario con pocos privilegios, como un suscriptor... • https://wpscan.com/vulnerability/9e57285a-0023-4711-874c-6e7b3c2673d1 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38073 – WordPress Awesome Support plugin <= 6.0.7 - Multiple Authenticated Persistent XSS (Additional Interested Parties)
https://notcve.org/view.php?id=CVE-2022-38073
14 Sep 2022 — Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress. Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) Persistente Autenticado (rol específico del plugin) en el plugin Awesome Support versiones anteriores a 6.0.7 incluyéndola, en WordPress The Awesome Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.0.7 due to insufficient input sanitiz... • https://patchstack.com/database/vulnerability/awesome-support/wordpress-awesome-support-plugin-6-0-7-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36919 – WordPress Awesome Support plugin <= 6.0.6 - Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities
https://notcve.org/view.php?id=CVE-2021-36919
26 Nov 2021 — Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in WordPress Awesome Support plugin (versions <= 6.0.6), vulnerable parameters (&id, &assignee). Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) Reflejada y Autenticadas en el plugin Awesome Support de WordPress (versiones anteriores a 6.0.6 incluyéndola), parámetros vulnerables (&id, &assignee) The "Awesome Support – WordPress HelpDesk & Support Plugin" plugin for WordPress is vulnerable to Reflected Cross-Sit... • https://patchstack.com/database/vulnerability/awesome-support/wordpress-awesome-support-plugin-6-0-6-multiple-authenticated-reflected-cross-site-scripting-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20181 – Awesome Support – WordPress HelpDesk & Support Plugin <= 6.0.13 - Cross-Site Scripting via post_title
https://notcve.org/view.php?id=CVE-2019-20181
06 Jan 2020 — The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter. El plugin awesome-support versión 5.8.0 para WordPress, permite un ataque de tipo XSS por medio del parámetro post_title. The awesome-support plugin 6.0.13 and below for WordPress allows XSS via the post_title parameter. • https://medium.com/%40Pablo0xSantiago/cve-2019-20181-awesome-support-wordpress-helpdesk-support-plugin-5-8-0-84a0c022cf53 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9318 – Awesome Support – WordPress HelpDesk & Support Plugin <= 3.1.6 - Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2015-9318
15 May 2015 — The awesome-support plugin before 3.1.7 for WordPress has a security issue in which shortcodes are allowed in replies. El plugin de awesome-support antes de 3.1.7 para WordPress tiene un problema de seguridad en el que se permiten shortcodes en las respuestas. • https://wordpress.org/plugins/awesome-support/#developers • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-254: 7PK - Security Features •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9317 – Awesome Support – WordPress HelpDesk & Support Plugin < 3.1.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9317
15 May 2015 — The awesome-support plugin before 3.1.7 for WordPress has XSS via custom information messages. El plugin de awesome-support antes de 3.1.7 para WordPress tiene XSS a través de mensajes de información personalizados. • https://wordpress.org/plugins/awesome-support/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •