CVE-2024-0595 is a vulnerability identified in the Awesome Support – WordPress HelpDesk & Support Plugin, a popular plugin used to provide helpdesk and support functionality within WordPress environments. The vulnerability arises from a missing authorization check in the wpas_get_users() function, which is invoked via AJAX requests. Specifically, this function lacks proper capability verification, allowing any authenticated user with subscriber-level access or higher to exploit the flaw. By leveraging this vulnerability, an attacker can retrieve sensitive user data, including email addresses, without possessing the necessary permissions. This issue affects all versions of the plugin up to and including version 6.1.7. The vulnerability is categorized under CWE-862 (Missing Authorization), indicating that the system fails to enforce proper access control before performing sensitive operations. Notably, exploitation requires the attacker to be authenticated with at least subscriber-level privileges, which is a low-level role in WordPress, often granted to registered users with minimal rights. The vulnerability does not require user interaction beyond authentication, and no public exploits have been reported in the wild as of the publication date. However, the exposure of user email addresses can facilitate further attacks such as phishing, social engineering, or targeted spear-phishing campaigns. Since the plugin is widely used in WordPress-based support systems, the attack surface is significant, especially for organizations relying on this plugin for customer support and ticket management. The lack of a patch link indicates that a fix may not yet be publicly available, increasing the urgency for mitigation measures.

For European organizations, the impact of CVE-2024-0595 can be considerable, particularly for those using the Awesome Support plugin to manage customer support operations. Unauthorized access to user email addresses compromises confidentiality and can lead to privacy violations under GDPR, potentially resulting in regulatory fines and reputational damage. The exposure of user data can also facilitate targeted phishing attacks, increasing the risk of credential theft or further compromise of organizational systems. While the vulnerability does not allow direct modification or deletion of data, the leakage of personally identifiable information (PII) undermines data integrity and privacy. The requirement for authenticated access limits exploitation to users who already have some level of access, but subscriber roles are commonly assigned to registered users or customers, making exploitation feasible in many scenarios. The availability of the support system itself is not directly impacted, but the indirect effects of data leakage and subsequent attacks could disrupt operations. Given the widespread use of WordPress and the popularity of the Awesome Support plugin, organizations in sectors with high customer interaction—such as e-commerce, telecommunications, and public services—are particularly at risk. Additionally, the lack of known exploits in the wild suggests that proactive mitigation can effectively reduce risk before widespread exploitation occurs.

1. Immediate mitigation should involve restricting subscriber-level user registrations or reviewing the roles assigned to users to minimize the number of accounts with subscriber or higher privileges. 2. Implement strict user role audits to ensure that only trusted users have authenticated access to the WordPress environment. 3. Monitor AJAX requests to the wpas_get_users() endpoint for unusual activity or excessive data retrieval attempts. 4. Apply web application firewall (WAF) rules to detect and block unauthorized AJAX calls targeting this function. 5. Until an official patch is released, consider disabling or limiting the functionality of the Awesome Support plugin if feasible, especially on sites with high-risk data. 6. Employ logging and alerting mechanisms to detect suspicious access patterns related to user data retrieval. 7. Educate users and administrators about the risks of phishing and social engineering attacks that could stem from leaked email addresses. 8. Stay updated with vendor communications for patches or updates addressing this vulnerability and apply them promptly once available. 9. Consider implementing additional access control plugins or custom code to enforce capability checks on AJAX endpoints within WordPress. 10. Conduct regular security assessments and penetration testing focusing on WordPress plugins and user privilege escalations.