CVE-2024-8548
HIGHKB Support - WordPress Help Desk - Privilege Escalation
Title source: llmDescription
The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the /includes/ajax-functions.php file all versions up to, and including, 1.6.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple administrative actions, such as replying to arbitrary tickets, updating the status of any post, deleting any post, adding notes to tickets, flagging or unflagging tickets, and adding or removing ticket participants.
References (14)
Core 14
Core References
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L138
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L172
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L211
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L240
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L458
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L531
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L580
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L605
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L630
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L649
Product
https://plugins.trac.wordpress.org/browser/kb-support/trunk/includes/ajax-functions.php#L801
Scores
CVSS v3
8.1
EPSS
0.0036
EPSS Percentile
27.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (2)
logon/kb_support
< 1.6.7
logoninc/KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin
< 1.6.6
Published
Oct 01, 2024
Tracked Since
Feb 18, 2026