CVE-2024-13552 is an authorization vulnerability classified under CWE-285 affecting the SupportCandy – Helpdesk & Customer Support Ticket System WordPress plugin. The flaw arises from missing validation on a user-controlled key parameter during file upload and retrieval processes. This lack of proper access control allows authenticated users to bypass restrictions and download attachments associated with support tickets that they do not own, constituting an Insecure Direct Object Reference (IDOR) vulnerability. Furthermore, if the administrator enables guest ticket submissions, unauthenticated users can exploit this vulnerability to access attachments without any authentication. The vulnerability affects all versions up to 3.3.0 and is rated with a CVSS 3.1 base score of 4.3 (medium severity), reflecting its network attack vector, low complexity, and lack of user interaction, but requiring at least low privileges for exploitation in the authenticated scenario. The vulnerability impacts confidentiality but does not affect integrity or availability of the system. No patches are currently linked, and no known exploits have been reported in the wild. The root cause is insufficient authorization checks on file access endpoints, allowing unauthorized access to sensitive ticket attachments.

The primary impact of CVE-2024-13552 is unauthorized disclosure of sensitive information contained in support ticket attachments. This can lead to leakage of confidential customer data, internal communications, or proprietary information, potentially resulting in reputational damage, regulatory compliance violations (such as GDPR or HIPAA), and loss of customer trust. Since the vulnerability allows authenticated users to access other users' attachments, insider threats or compromised accounts can be leveraged to escalate data exposure. If guest tickets are enabled, the risk extends to unauthenticated attackers, increasing the attack surface significantly. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have serious consequences for organizations relying on SupportCandy for customer support. The lack of known exploits suggests limited active exploitation currently, but the ease of exploitation and network accessibility make it a viable target for attackers.

Organizations using the SupportCandy plugin should immediately assess their exposure and take the following specific actions: 1) Upgrade to a patched version once available from the vendor; monitor official SupportCandy channels for updates. 2) Temporarily disable guest ticket submissions to prevent unauthenticated exploitation. 3) Implement strict access controls and review user permissions to minimize the number of users with ticket access. 4) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to access unauthorized attachments. 5) Conduct thorough audits of existing ticket attachments to identify any potential data leakage. 6) Educate support staff about the risk and encourage vigilance for unusual access patterns. 7) If patching is delayed, consider custom plugin modifications to enforce authorization checks on file access endpoints. 8) Monitor logs for anomalous download activity related to ticket attachments. These targeted mitigations go beyond generic advice by focusing on configuration changes, monitoring, and temporary controls until an official patch is released.