Supportcandy: >> Supportcandy >> 3.1.5 Security Vulnerabilities
The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection exploitable by users with a role as low as Subscriber.
CVSS Score
8.8
EPSS Score
0.035
Published
2023-06-19
The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
CVSS Score
7.2
EPSS Score
0.002
Published
2023-06-19