CVE-2024-0595: 
WordPress vulnerability analysis and mitigation

The Awesome Support – WordPress HelpDesk & Support Plugin for WordPress (versions up to 6.1.7) contains a vulnerability identified as CVE-2024-0595. The vulnerability stems from a missing capability check on the wpas_get_users() function hooked via AJAX, which allows authenticated attackers with subscriber-level access or higher to retrieve user data such as email addresses (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 4.3 (Medium). The security flaw exists in the wpas_get_users() function that lacks proper capability checks when accessed through AJAX calls. This implementation oversight allows authenticated users with minimal privileges to access user information beyond their intended authorization level (NVD).

When exploited, this vulnerability allows authenticated attackers with subscriber-level access or higher to retrieve sensitive user data, particularly email addresses. This unauthorized access to user information could potentially be used for various malicious purposes, including data harvesting and targeted phishing attacks (NVD).

Users should upgrade to version 6.1.8 or later of the Awesome Support plugin, which contains the fix for this vulnerability. The update implements proper capability checks on the wpas_get_users() function to prevent unauthorized access to user data (NVD).