CVE-2021-24878

CVE-2021-24878: SupportCandy < 2.2.7 - Reflected Cross-Site Scripting

Vendor Unknown

Product SupportCandy – Helpdesk & Support Ticket System

Weakness CWE-79 · XSS

Published February 7, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue

Key dates

02Disclosure timeline

February 7, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24878

Related vulnerabilities

04Related CVE

CVE-2024-0981 CVE-2019-19293 CVE-2024-9169 litespeed cache <= 6.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2025-31028 WordPress WP Hide Categories plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability CVE-2023-28166 WordPress Tags Cloud Manager Plugin <= 1.0.0 is vulnerable to Cross Site Scripting (XSS)