CVE-2024-13601: 
WordPress vulnerability analysis and mitigation

The Majestic Support WordPress plugin (versions up to 1.0.5) contains an Insecure Direct Object Reference vulnerability identified as CVE-2024-13601. The vulnerability was discovered and reported on February 12, 2025, affecting the plugin's 'exportusereraserequest' function due to insufficient validation of user-controlled keys (NVD).

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has received a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue exists in the GDPR module of the plugin, specifically in the exportusereraserequest function (WordPress Plugin).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to export ticket data belonging to any user in the system, potentially leading to unauthorized access to sensitive support ticket information (Wordfence Advisory).

A patch has been released to address this vulnerability. Users should upgrade to versions newer than 1.0.5 to protect against this security issue (WordPress Patch).