CVE-2021-24878: 
WordPress vulnerability analysis and mitigation

The SupportCandy WordPress plugin before version 2.2.7 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24878. The vulnerability was discovered by researcher apple502j and was publicly disclosed on January 5, 2022. This security issue affects websites using the SupportCandy plugin for WordPress, which is a helpdesk and customer support ticket system (WPScan).

The vulnerability stems from improper sanitization and escaping of query string parameters in pages containing the [wpsc_create_ticket] shortcode embed. The issue has been assigned a CVSS score of 6.1 (medium severity) and is classified under CWE-79, which pertains to Cross-Site Scripting vulnerabilities. A proof of concept demonstrates that the vulnerability can be exploited by manipulating the query string parameters in the ticket-creation page URL (WPScan).

When exploited, this vulnerability allows attackers to inject malicious client-side scripts into pages containing the ticket creation shortcode. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the user's browser (WPScan).

The vulnerability has been fixed in version 2.2.7 of the SupportCandy plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).