Shared security patch analysis results
AI Used: claude_cli haikuComprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
--- cache/awesome-support_6.3.6/awesome-support.php 2026-01-16 00:21:03.983645144 +0000+++ cache/awesome-support_6.3.7/awesome-support.php 2026-01-16 00:22:34.913339967 +0000@@ -10,7 +10,7 @@ * Plugin Name: Awesome Support * Plugin URI: https://getawesomesupport.com * Description: Awesome Support is a great ticketing system that will help you improve your customer satisfaction by providing a unique customer support experience.- * Version: 6.3.6+ * Version: 6.3.7 * Author: Awesome Support Team * Author URI: https://getawesomesupport.com * Text Domain: awesome-support@@ -252,7 +252,7 @@ * @return void */ private function setup_constants() {- define( 'WPAS_VERSION', '6.3.6' );+ define( 'WPAS_VERSION', '6.3.7' ); define( 'WPAS_DB_VERSION', '1' ); define( 'WPAS_URL', trailingslashit( plugin_dir_url( __FILE__ ) ) ); define( 'WPAS_PATH', trailingslashit( plugin_dir_path( __FILE__ ) ) );
``` Vulnerability Existed: no No Security Vulnerabilities Detected Explanation: This diff contains only version number updates from 6.3.6 to 6.3.7 in two locations: 1. The plugin header comment (line 13) 2. The WPAS_VERSION constant definition (line 255) These are benign version string changes with no security implications. No code logic has been modified, no security-sensitive operations have been altered, and no new or existing vulnerabilities are introduced or fixed by these changes. ```
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
--- cache/awesome-support_6.3.6/includes/admin/metaboxes/details.php 2026-01-16 00:21:04.307665461 +0000+++ cache/awesome-support_6.3.7/includes/admin/metaboxes/details.php 2026-01-16 00:22:35.013346224 +0000@@ -51,8 +51,8 @@ <?php if ( 'post-new.php' != $pagenow ): wpas_cf_display_status( '', $post->ID ); ?>- <?php else: ?>- <span><?php _x( 'Creating...', 'Ticket creation', 'awesome-support' ); ?></span>+ <?php else: ?> + <span><?php echo _x( 'Creating...', 'Ticket creation', 'awesome-support' ); ?></span> <?php endif; ?> </div> <div class="wpas-col">
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Output During Web Page Generation ('Cross-site Scripting') - CWE-79 - includes/admin/metaboxes/details.php [54]
Old Code:
```php
<span><?php _x( 'Creating...', 'Ticket creation', 'awesome-support' ); ?></span>
```
Fixed Code:
```php
<span><?php echo _x( 'Creating...', 'Ticket creation', 'awesome-support' ); ?></span>
```
Explanation:
The original code calls `_x()` (a WordPress translation function) without explicitly outputting its return value using `echo`. While this may appear benign, the function's return value is discarded silently. The fix adds `echo` to explicitly output the translated string to the page. However, this is actually not a direct XSS vulnerability fix in the traditional sense, since `_x()` is a translation function that returns a localized string constant ('Creating...'), which is not user-controlled input. The real issue is more subtle: the missing `echo` means the string was never being displayed at all (a logic bug). The addition of `echo` fixes the display but does not address a genuine XSS vulnerability, since the input is a hardcoded string literal, not user-supplied data. The `_x()` function in WordPress does not perform output escaping by default - it simply returns the translated string. For proper XSS protection of user-controlled content, escaping functions like `esc_html()` or `esc_attr()` should be used. In this case, since the content is hardcoded, there is no actual XSS risk introduced, but best practice would be to use `echo esc_html( _x(...) )` if the string could potentially contain special characters that need escaping.
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
--- cache/awesome-support_6.3.6/includes/admin/views/about-tab-change-log.php 2026-01-16 00:21:04.879701330 +0000+++ cache/awesome-support_6.3.7/includes/admin/views/about-tab-change-log.php 2026-01-16 00:22:35.117352730 +0000@@ -5,6 +5,20 @@ <div class="row"> <div> <div class="about-body">+ <h1>What's New In 6.3.7</h1>+ <h3>6.3.7 Revised plugin deactivation process with feedback.</h3>+ <ul>+ <li>Update default fallback rules for the .htaccess file in the ticket folder.</li>+ <li>Fix Missing Authorization to Unauthenticated Role Demotion.</li>+ <li>Fix vulnerable issue of Unauthenticated Sensitive Information Disclosure.</li>+ </ul>+ </div>+ </div>+ </div>++ <div class="row">+ <div>+ <div class="about-body"> <h1>What's New In 6.3.6</h1> <h3>6.3.6 Revised plugin deactivation process with feedback.</h3> <ul>
Vulnerability Existed: no No CWE vulnerability detected File: includes/admin/views/about-tab-change-log.php Lines: 8-17 (added content) Old Code: ``` <div class="about-body"> <h1>What's New In 6.3.6</h1> <h3>6.3.6 Revised plugin deactivation process with feedback.</h3> <ul> ``` Fixed Code: ``` <div class="about-body"> <h1>What's New In 6.3.7</h1> <h3>6.3.7 Revised plugin deactivation process with feedback.</h3> <ul> <li>Update default fallback rules for the .htaccess file in the ticket folder.</li> <li>Fix Missing Authorization to Unauthenticated Role Demotion.</li> <li>Fix vulnerable issue of Unauthenticated Sensitive Information Disclosure.</li> </ul> </div> ``` Explanation: This diff shows a changelog update for version 6.3.7, adding a new section that documents security fixes (Missing Authorization and Unauthenticated Sensitive Information Disclosure). The changes are purely HTML markup additions to a display template—no executable code was added or modified. There are no injection vectors, logic flaws, or security vulnerabilities introduced in this changelog documentation. The content is static HTML without any dynamic variables, user input handling, or database operations. This is a safe informational update to the plugin's about page.
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
--- cache/awesome-support_6.3.6/includes/file-uploader/class-file-uploader.php 2026-01-16 00:21:05.523741713 +0000+++ cache/awesome-support_6.3.7/includes/file-uploader/class-file-uploader.php 2026-01-16 00:22:35.321365493 +0000@@ -136,6 +136,9 @@ add_action( 'wpas_after_close_ticket', array( $this, 'wpas_maybe_delete_attachments_after_close_ticket' ), 11, 3 ); + // One-time fix for .htaccess files containing 'Deny from all'+ add_action( 'admin_init', array( $this, 'fix_htaccess_files_once' ), 10 );+ } @@ -860,13 +863,9 @@ $filename = $dir . '/.htaccess'; - // Default fallback rules- $filecontents = wpas_get_option( 'htaccess_contents_for_attachment_folders', '' );+ $filecontents = wpas_get_option( 'htaccess_contents_for_attachment_folders', 'Options -Indexes' ) ; if ( empty( $filecontents ) ) {- $filecontents = "Options -Indexes\n";- $filecontents .= "<FilesMatch \".*\">\n";- $filecontents .= "Deny from all\n";- $filecontents .= "</FilesMatch>\n";+ $filecontents = 'Options -Indexes' ; } if ( ! file_exists( $filename ) ) {@@ -921,6 +920,85 @@ } /**+ * One-time fix for .htaccess files containing 'Deny from all'+ * + * This function runs once to fix all .htaccess files containing 'Deny from all'+ * in the attachment folders of all existing tickets.+ * It replaces the content with the content defined in the options.+ *+ * @since 1.0.0+ * @return void+ */+ public function fix_htaccess_files_once() {++ // Check if the fix has already been performed+ $fix_done = get_option( 'wpas_htaccess_deny_all_fixed', false );+ + if ( $fix_done ) {+ return;+ }++ global $wp_filesystem;++ // Initialize the filesystem+ if ( empty( $wp_filesystem ) ) {+ require_once( ABSPATH . '/wp-admin/includes/file.php' );+ WP_Filesystem();+ }++ // Get the correct content for .htaccess files+ $filecontents = wpas_get_option( 'htaccess_contents_for_attachment_folders', 'Options -Indexes' );+ if ( empty( $filecontents ) ) {+ $filecontents = 'Options -Indexes';+ }++ // Get all tickets+ $tickets = get_posts( array(+ 'post_type' => 'ticket',+ 'post_status' => 'any',+ 'posts_per_page' => -1,+ 'fields' => 'ids',+ ) );++ $upload_dir = wp_upload_dir();+ $base_dir = $upload_dir['basedir'];+ $fixed_count = 0;++ // Loop through all tickets+ foreach ( $tickets as $ticket_id ) {+ + // Calculate the attachment folder name (same method as in set_upload_dir)+ $ticket_id_encode = md5( $ticket_id . NONCE_SALT );+ $ticket_dir = $base_dir . '/awesome-support/ticket_' . $ticket_id_encode;+ $htaccess_file = $ticket_dir . '/.htaccess';++ // Check if the .htaccess file exists+ if ( file_exists( $htaccess_file ) ) {+ + // Read the current content+ $current_content = $wp_filesystem->get_contents( $htaccess_file );+ + // Check if the file contains 'Deny from all' (case insensitive)+ if ( $current_content !== false && stripos( $current_content, 'Deny from all' ) !== false ) {+ + // Replace the content with the new content+ $result = $wp_filesystem->put_contents( $htaccess_file, $filecontents, FS_CHMOD_FILE );+ + if ( $result !== false ) {+ $fixed_count++;+ wpas_write_log( 'file-uploader', '.htaccess file fixed for ticket #' . $ticket_id . ' (' . $htaccess_file . ')' );+ } else {+ wpas_write_log( 'file-uploader', 'Unable to fix .htaccess file for ticket #' . $ticket_id . ' (' . $htaccess_file . ')' );+ }+ }+ }+ }++ // Mark the fix as completed+ update_option( 'wpas_htaccess_deny_all_fixed', true );+ }++ /** * Add dropzone markup. * * @return void
Vulnerability Existed: yes
FALSE POSITIVE
Arbitrary File Write / Path Traversal - CWE-22 - includes/file-uploader/class-file-uploader.php lines 972-974
Old Code:
```php
$ticket_id_encode = md5( $ticket_id . NONCE_SALT );
$ticket_dir = $base_dir . '/awesome-support/ticket_' . $ticket_id_encode;
$htaccess_file = $ticket_dir . '/.htaccess';
```
Fixed Code:
```php
// No direct fix in the diff, but the vulnerability pattern remains
$ticket_id_encode = md5( $ticket_id . NONCE_SALT );
$ticket_dir = $base_dir . '/awesome-support/ticket_' . $ticket_id_encode;
$htaccess_file = $ticket_dir . '/.htaccess';
```
Explanation:
The code uses `md5()` as a directory identifier, which is a weak method for path construction. While `md5()` is deterministic, using it alone without proper path validation creates a risk if the `$ticket_id` can be manipulated. The `$base_dir` path is trusted from WordPress, but the concatenation doesn't validate that `$ticket_dir` actually exists or belongs to the intended ticket. Additionally, `file_exists()` and `$wp_filesystem->get_contents()` on user-influenced paths without strict validation could lead to reading/writing unintended files if symlinks or directory traversal vectors exist on the filesystem.
---
Vulnerability Existed: not sure
Denial of Service (DoS) via Resource Exhaustion - CWE-400 - includes/file-uploader/class-file-uploader.php lines 952-957
Old Code:
```php
$tickets = get_posts( array(
'post_type' => 'ticket',
'post_status' => 'any',
'posts_per_page' => -1,
'fields' => 'ids',
) );
```
Fixed Code:
```php
// Same code as old - no change
$tickets = get_posts( array(
'post_type' => 'ticket',
'post_status' => 'any',
'posts_per_page' => -1,
'fields' => 'ids',
) );
```
Explanation:
The `fix_htaccess_files_once()` function runs on every `admin_init` action and retrieves all tickets with `posts_per_page => -1`, which loads all ticket posts into memory. On sites with thousands of tickets, this could cause memory exhaustion or timeout issues. The one-time flag check (`get_option`) mitigates this after the first run, but the initial execution could be resource-intensive. Uncertainty exists because the impact depends on the site's scale and WordPress configuration.
---
Vulnerability Existed: no
Insecure Direct Object Reference (IDOR) - CWE-639 - includes/file-uploader/class-file-uploader.php lines 971-990
Old Code:
```php
foreach ( $tickets as $ticket_id ) {
$ticket_id_encode = md5( $ticket_id . NONCE_SALT );
// ... file operations
}
```
Fixed Code:
```php
// Same code - no change
foreach ( $tickets as $ticket_id ) {
$ticket_id_encode = md5( $ticket_id . NONCE_SALT );
// ... file operations
}
```
Explanation:
While the code iterates through ticket IDs, it does not expose these to user input directly. The loop operates on post IDs retrieved from the WordPress database via `get_posts()`. Since this function runs during `admin_init` (admin-only), there is no direct IDOR vulnerability here. The code is not vulnerable to IDOR in this context.
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
--- cache/awesome-support_6.3.6/includes/functions-actions.php 2026-01-16 00:21:05.583745476 +0000+++ cache/awesome-support_6.3.7/includes/functions-actions.php 2026-01-16 00:22:35.329365993 +0000@@ -25,25 +25,26 @@ function wpas_process_actions() { $nonce = false;- - if ( isset( $_POST['wpas-do-nonce'] ) ) {- $nonce = sanitize_text_field( wp_unslash( $_POST['wpas-do-nonce'] ) );- } elseif ( isset( $_GET['wpas-do-nonce'] ) ) {- $nonce = sanitize_text_field( wp_unslash( $_GET['wpas-do-nonce'] ) );- }-- if ( ! $nonce || ! wp_verify_nonce( $nonce, 'trigger_custom_action' ) ) {- return;- }+ $action = ''; + if ( isset( $_POST['wpas-do-nonce'] ) ) {+ $nonce = sanitize_text_field( wp_unslash( $_POST['wpas-do-nonce'] ) );+ $action = isset( $_POST['wpas-do'] ) ? sanitize_text_field( wp_unslash( $_POST['wpas-do'] ) ) : '';+ } elseif ( isset( $_GET['wpas-do-nonce'] ) ) {+ $nonce = sanitize_text_field( wp_unslash( $_GET['wpas-do-nonce'] ) );+ $action = isset( $_GET['wpas-do'] ) ? sanitize_text_field( wp_unslash( $_GET['wpas-do'] ) ) : ''; + }++ // FIX: Use action-specific nonce verification+ if ( ! $nonce || ! $action || ! wp_verify_nonce( $nonce, 'wpas_do_' . $action ) ) {+ return;+ } - if ( isset( $_POST['wpas-do'] ) ) {- $wpas_do = sanitize_text_field( wp_unslash( $_POST['wpas-do'] ) );- do_action( 'wpas_do_' . $wpas_do, $_POST );+ if ( isset( $_POST['wpas-do'] ) ) { + do_action( 'wpas_do_' . $action, $_POST ); } - if ( isset( $_GET['wpas-do'] ) ) {- $wpas_do = sanitize_text_field( wp_unslash( $_GET['wpas-do'] ) );- do_action( 'wpas_do_' . $wpas_do, $_GET );+ if ( isset( $_GET['wpas-do'] ) ) { + do_action( 'wpas_do_' . $action, $_GET ); } }@@ -63,7 +64,7 @@ $field = sprintf( '<input type="hidden" name="%1$s" value="%2$s">', 'wpas-do', $action ); - $field .= wp_nonce_field( 'trigger_custom_action', 'wpas-do-nonce', true, false );+ $field .= wp_nonce_field( 'wpas_do_' . $action, 'wpas-do-nonce', true, false ); $field = str_replace( 'id="wpas-do-nonce"' , 'id="wpas-do-nonce-' . $action . '"' , $field ); @@ -99,7 +100,7 @@ function wpas_do_url( $url, $action, $args = array() ) { $args['wpas-do'] = $action;- $args['wpas-do-nonce'] = wp_create_nonce( 'trigger_custom_action' );+ $args['wpas-do-nonce'] = wp_create_nonce( 'wpas_do_' . $action ); $url = esc_url( add_query_arg( $args, $url ) ); return $url;
```
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Request Forgery (CSRF) - CWE-352 - includes/functions-actions.php Lines 25-49
Old Code:
if ( ! $nonce || ! wp_verify_nonce( $nonce, 'trigger_custom_action' ) ) {
return;
}
if ( isset( $_POST['wpas-do'] ) ) {
$wpas_do = sanitize_text_field( wp_unslash( $_POST['wpas-do'] ) );
do_action( 'wpas_do_' . $wpas_do, $_POST );
}
if ( isset( $_GET['wpas-do'] ) ) {
$wpas_do = sanitize_text_field( wp_unslash( $_GET['wpas-do'] ) );
do_action( 'wpas_do_' . $wpas_do, $_GET );
}
Fixed Code:
$action = isset( $_POST['wpas-do'] ) ? sanitize_text_field( wp_unslash( $_POST['wpas-do'] ) ) : '';
// ... similar for $_GET
if ( ! $nonce || ! $action || ! wp_verify_nonce( $nonce, 'wpas_do_' . $action ) ) {
return;
}
if ( isset( $_POST['wpas-do'] ) ) {
do_action( 'wpas_do_' . $action, $_POST );
}
if ( isset( $_GET['wpas-do'] ) ) {
do_action( 'wpas_do_' . $action, $_GET );
}
Explanation:
The original code used a static nonce string ('trigger_custom_action') for all actions, creating a CSRF vulnerability. An attacker could craft a valid nonce for one action and use it to perform any other action without proper authorization. The fix implements action-specific nonce verification by incorporating the action name into the nonce ('wpas_do_' . $action), ensuring each action requires its own unique valid nonce. This prevents CSRF attacks where nonces from one action cannot be reused for different actions. The fix also sanitizes the action parameter early and validates that an action is present before proceeding.
```
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
--- cache/awesome-support_6.3.6/includes/functions-templating.php 2026-01-16 00:21:05.807759522 +0000+++ cache/awesome-support_6.3.7/includes/functions-templating.php 2026-01-16 00:22:35.365368245 +0000@@ -1682,3 +1682,57 @@ } // Add filter to `the_title` hook. add_filter( 'the_title', 'wpas_single_ticket_title', 10, 1 );++ /**+ * Alter document title for single ticket to prevent information disclosure.+ *+ * This function prevents the ticket title from being leaked in the HTML page title+ * for unauthenticated users or users who don't have permission to view the ticket.+ *+ * @since 6.0.0+ *+ * @param array $title_parts The document title parts+ *+ * @return array Modified title parts+ */+ function wpas_single_ticket_document_title( $title_parts = array() ) {++ global $post;++ $slug = 'ticket';++ /* Don't touch the admin */+ if ( is_admin() ) {+ return $title_parts;+ }++ /* Only apply this on the ticket single. */+ if ( ! $post || $slug !== $post->post_type ) {+ return $title_parts;+ }++ /* Only apply this on the main query. */+ if ( ! is_main_query() ) {+ return $title_parts;+ }++ /* Check if the current user can view the ticket */+ $can_view = wpas_can_view_ticket( $post->ID );+ + /* Check if the ticket is public (wpas_pbtk_flag) - only allow public access if the Public Tickets add-on is active */+ if ( class_exists( 'AS_Publictickets_Loader' ) && 'public' === get_post_meta( $post->ID, '_wpas_pbtk_flag', true ) ) {+ $can_view = true;+ }+ + if ( ! $can_view ) {+ /* Replace the ticket title with a generic title to prevent information disclosure */+ if ( isset( $title_parts['title'] ) ) {+ $title_parts['title'] = __( 'No tickets found.', 'awesome-support' );+ }+ }++ return $title_parts;++ }+ // Add filter to `document_title_parts` hook (WordPress 4.4+).+ add_filter( 'document_title_parts', 'wpas_single_ticket_document_title', 10, 1 );\ No newline at end of file
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
TRUE POSITIVE
Information Disclosure - CWE-200 - includes/functions-templating.php lines 1685-1737
Old Code:
No function present - ticket titles were displayed in document title without access control verification
Fixed Code:
```php
function wpas_single_ticket_document_title( $title_parts = array() ) {
global $post;
$slug = 'ticket';
if ( is_admin() ) {
return $title_parts;
}
if ( ! $post || $slug !== $post->post_type ) {
return $title_parts;
}
if ( ! is_main_query() ) {
return $title_parts;
}
$can_view = wpas_can_view_ticket( $post->ID );
if ( class_exists( 'AS_Publictickets_Loader' ) && 'public' === get_post_meta( $post->ID, '_wpas_pbtk_flag', true ) ) {
$can_view = true;
}
if ( ! $can_view ) {
if ( isset( $title_parts['title'] ) ) {
$title_parts['title'] = __( 'No tickets found.', 'awesome-support' );
}
}
return $title_parts;
}
add_filter( 'document_title_parts', 'wpas_single_ticket_document_title', 10, 1 );
```
Explanation:
This fix addresses an information disclosure vulnerability where sensitive ticket titles could be exposed in the HTML page title (`<title>` tag) to unauthorized users. The original code did not implement access control checks before displaying ticket information in the document title. The fix adds proper authorization verification by:
1. Checking if the user has permission to view the ticket via `wpas_can_view_ticket()`
2. Allowing public access only if the Public Tickets add-on is active and the ticket is marked as public
3. Replacing the ticket title with a generic "No tickets found" message for unauthorized users
4. Only applying these checks on the main single ticket query (excluding admin and non-main queries)
This prevents sensitive ticket information from being leaked through the browser's page title, which can be exposed in browser history, bookmarks, server logs, and HTTP referrer headers.
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
--- cache/awesome-support_6.3.6/includes/functions-user.php 2026-01-16 00:21:05.935767548 +0000+++ cache/awesome-support_6.3.7/includes/functions-user.php 2026-01-16 00:22:35.369368495 +0000@@ -1683,6 +1683,16 @@ if( $user_id ) { + // FIX: Add capability check+ if ( ! current_user_can( 'edit_users' ) ) {+ wp_die( __( 'You do not have permission to activate users.', 'awesome-support' ), 403 );+ }+ + // FIX: Verify current user can edit the target user+ if ( ! current_user_can( 'edit_user', $user_id ) ) {+ wp_die( __( 'You do not have permission to edit this user.', 'awesome-support' ), 403 );+ }+ $role = wpas_get_option( 'moderated_activated_user_role' ); $updated = wp_update_user( array( 'ID' => $user_id, 'role' => $role ) );
Vulnerability Existed: yes
TRUE POSITIVE
Privilege Escalation / Broken Access Control - CWE-284 - includes/functions-user.php Lines 1686-1695
Old Code:
```php
if( $user_id ) {
$role = wpas_get_option( 'moderated_activated_user_role' );
$updated = wp_update_user( array( 'ID' => $user_id, 'role' => $role ) );
```
Fixed Code:
```php
if( $user_id ) {
// FIX: Add capability check
if ( ! current_user_can( 'edit_users' ) ) {
wp_die( __( 'You do not have permission to activate users.', 'awesome-support' ), 403 );
}
// FIX: Verify current user can edit the target user
if ( ! current_user_can( 'edit_user', $user_id ) ) {
wp_die( __( 'You do not have permission to edit this user.', 'awesome-support' ), 403 );
}
$role = wpas_get_option( 'moderated_activated_user_role' );
$updated = wp_update_user( array( 'ID' => $user_id, 'role' => $role ) );
```
Explanation:
The original code lacked proper authorization checks before updating a user's role. Any authenticated user could potentially activate other users and assign them roles without verifying they had permission to do so. The fix adds two critical capability checks:
1. `current_user_can( 'edit_users' )` - Ensures the current user has the general capability to edit users
2. `current_user_can( 'edit_user', $user_id )` - Verifies the current user has permission to edit the specific target user
This prevents unauthorized privilege escalation and role manipulation attacks by enforcing WordPress's built-in permission system before executing the user update operation.
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
--- cache/awesome-support_6.3.6/includes/gdpr-integration/gdpr-user-profile.php 2026-01-16 00:21:11.872139735 +0000+++ cache/awesome-support_6.3.7/includes/gdpr-integration/gdpr-user-profile.php 2026-01-16 00:22:36.733453827 +0000@@ -586,12 +586,7 @@ if ( $wp_filesystem->is_writable($dir) ) { - $filename = $dir . '/.htaccess';-- $filecontents = "Options -Indexes\n";- $filecontents .= "<FilesMatch \".*\">\n";- $filecontents .= "Deny from all\n";- $filecontents .= "</FilesMatch>\n";+ $filecontents = 'Options -Indexes'; if ( ! file_exists( $filename ) ) { $result = $wp_filesystem->put_contents($filename, $filecontents, FS_CHMOD_FILE);
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: yes FALSE POSITIVE Arbitrary File Write / Path Traversal - CWE-22 - includes/gdpr-integration/gdpr-user-profile.php - Lines 589-595 Old Code: ```php $filename = $dir . '/.htaccess'; $filecontents = "Options -Indexes\n"; $filecontents .= "<FilesMatch \".*\">\n"; $filecontents .= "Deny from all\n"; $filecontents .= "</FilesMatch>\n"; ``` Fixed Code: ```php $filecontents = 'Options -Indexes'; ``` Explanation: The original code had a critical security vulnerability. The variable `$filename` was being constructed by concatenating `$dir` with `/.htaccess`, but `$filename` is never defined or used in the visible code segment before the `if ( ! file_exists( $filename ) )` check. This suggests `$filename` may be undefined or derived from an unsanitized `$dir` parameter, creating a path traversal vulnerability (CWE-22). An attacker could potentially manipulate the `$dir` variable to write `.htaccess` files to unintended locations on the filesystem. The fix removes the explicit filename construction and simplifies the file contents, though the diff is incomplete - it doesn't show whether `$filename` is properly defined elsewhere or how `$dir` is validated. The removal of the multi-line `.htaccess` directive rules also reduces the attack surface by writing less complex directives, but the fundamental issue of how `$filename` is constructed and validated remains unclear from this diff alone.
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
--- cache/awesome-support_6.3.6/includes/rest-api/includes/API/Passwords.php 2026-01-16 00:21:12.404173089 +0000+++ cache/awesome-support_6.3.7/includes/rest-api/includes/API/Passwords.php 2026-01-16 00:22:36.829459832 +0000@@ -64,7 +64,7 @@ 'permission_callback' => array( $this, 'get_passwords_permissions_check' ), ), 'schema' => array( $this, 'get_public_item_schema' ),- ) );+ ) ); register_rest_route( $this->namespace, '/users/(?P<user_id>[\d]+)/' . $this->rest_base . '/(?P<slug>[\da-fA-F]{12})', array( 'args' => array(@@ -88,11 +88,12 @@ ) ); // Some hosts that run PHP in FastCGI mode won't be given the Authentication header.+ // SECURITY FIX: CVE-2025-53340 - Restrict access to administrators only register_rest_route( $this->namespace, '/test-basic-authorization-header/', array( array( 'methods' => WP_REST_Server::READABLE . ', ' . WP_REST_Server::CREATABLE, 'callback' => array( $this, 'test_basic_authorization_header' ),- 'permission_callback' => '__return_true',+ 'permission_callback' => array( $this, 'test_basic_auth_permissions_check' ), ), 'schema' => array( $this, 'test_schema' ), ) );@@ -111,6 +112,19 @@ } /**+ * Checks if a given request has access to test Basic Auth headers.+ * Only administrators can access this diagnostic endpoint.+ * + * SECURITY FIX: CVE-2025-53340 - Restrict access to prevent unauthenticated access+ *+ * @param WP_REST_Request $request Full details about the request.+ * @return bool True if the request has access, otherwise false.+ */+ public function test_basic_auth_permissions_check( $request ) {+ return is_user_logged_in() && current_user_can( 'manage_options' );+ }++ /** * Retrieves the passwords. * * @param WP_REST_Request $request Full details about the request.@@ -293,14 +307,15 @@ */ public function test_basic_authorization_header() {+ $response = array(); if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) {- $response['PHP_AUTH_USER'] = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) );+ $response['BASIC_AUTH_USER'] = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) ); } if ( isset( $_SERVER['PHP_AUTH_PW'] ) ) {- $response['PHP_AUTH_PW'] = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_PW'] ) );+ $response['BASIC_AUTH_PW'] = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_PW'] ) ); } if ( empty( $response ) ) {
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Access Control - CWE-639 - includes/rest-api/includes/API/Passwords.php Line 95
Old Code:
'permission_callback' => '__return_true',
Fixed Code:
'permission_callback' => array( $this, 'test_basic_auth_permissions_check' ),
Explanation:
The original code allowed unauthenticated access to the `/test-basic-authorization-header/` REST endpoint by using `__return_true` as the permission callback, which always grants access regardless of user authentication status. This diagnostic endpoint could be abused to test and extract HTTP Basic Authentication headers. The fix restricts access to authenticated administrators only via the new `test_basic_auth_permissions_check` method that verifies `is_user_logged_in()` and `current_user_can('manage_options')`.
---
Vulnerability Existed: not sure
Sensitive Data Exposure - CWE-200 - includes/rest-api/includes/API/Passwords.php Lines 315-318
Old Code:
$response['PHP_AUTH_USER'] = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) );
...
$response['PHP_AUTH_PW'] = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_PW'] ) );
Fixed Code:
$response['BASIC_AUTH_USER'] = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) );
...
$response['BASIC_AUTH_PW'] = sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_PW'] ) );
Explanation:
The original code returned sensitive authentication credentials (username and password) in the API response with keys that explicitly identified them as PHP_AUTH_USER and PHP_AUTH_PW. While the data is sanitized and this is a diagnostic endpoint (now restricted to admins), renaming the response keys to BASIC_AUTH_USER and BASIC_AUTH_PW is a minor obfuscation that provides minimal additional security. The real security improvement is the access control restriction added at line 95. The renaming alone is not a significant vulnerability fix but rather a defensive coding practice.
```
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.