Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total9
Critical1
High3
Medium5
Reset
Showing 1-9 of 9 records
Threat Entry Updated 2026-04-08

CVE-2026-4654 - Support Plugin

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.

PLUGIN Support

CVE-2026-4654

MEDIUM CVSS 5.3 2026-04-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2025-12641 - Support Plugin

The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a…

PLUGIN Support

CVE-2025-12641

MEDIUM CVSS 6.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2024-13567 - Support Plugin

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.3.1 via the 'awesome-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/awesome-support directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 6.3.1.

PLUGIN Support

CVE-2024-13567

HIGH CVSS 7.5 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-18

CVE-2024-13606 - Support Plugin

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the 'jssupportticketdata' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/jssupportticketdata directory which can contain file attachments included in support tickets.

PLUGIN Support

CVE-2024-13606

HIGH CVSS 7.5 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2024-13607 - Support Plugin

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the 'exportusereraserequest' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level permissions and above, to export ticket data for any user.

PLUGIN Support

CVE-2024-13607

MEDIUM CVSS 4.3 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2024-08-13

CVE-2024-7094 - Support Plugin

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the 'storeTheme' function. This is due to a lack of sanitization on user-supplied values, which replace values in the style.php file, along with missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server. This issue was partially patched in 2.8.6 when the code injection issue was resolved, and fully…

PLUGIN Support

CVE-2024-7094

CRITICAL CVSS 9.8 2024-08-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0596 - Support Plugin

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the editor_html() function in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to view password protected and draft posts.

PLUGIN Support

CVE-2024-0596

MEDIUM CVSS 5.3 2024-02-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0595 - Support Plugin

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpas_get_users() function hooked via AJAX in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve user data such as emails.

PLUGIN Support

CVE-2024-0595

MEDIUM CVSS 4.3 2024-02-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0594 - Support Plugin

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the wpas_get_users action in all versions up to, and including, 6.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Support

CVE-2024-0594

HIGH CVSS 8.8 2024-02-10
Open Full Technical Breakdown
Scroll to top