CVE-2024-0595 in Awesome Support Plugin
Summary
by MITRE • 02/10/2024
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpas_get_users() function hooked via AJAX in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve user data such as emails. CVE-2024-35741 is likely a duplicate of this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-0595 affects the Awesome Support WordPress HelpDesk plugin, specifically targeting versions up to and including 6.1.7. This security flaw resides within the wpas_get_users() function which is exposed through an AJAX endpoint, creating a critical access control weakness that undermines the plugin's security posture. The vulnerability stems from the absence of proper capability checks, allowing unauthorized data retrieval by users who possess subscriber-level privileges or higher, fundamentally compromising the principle of least privilege that should govern access to sensitive user information within WordPress environments.
The technical implementation of this vulnerability demonstrates a classic insufficient authorization flaw, which aligns with CWE-863, also known as "Incorrect Authorization." The wpas_get_users() function operates without verifying whether the requesting user possesses the necessary permissions to access the user data being retrieved. When an authenticated attacker with subscriber-level access or higher makes an AJAX request to this endpoint, the function processes the request without validating the user's capabilities, thereby exposing sensitive information including email addresses of other users within the WordPress installation. This represents a significant breach of the WordPress capability system, which is designed to ensure that users can only access functionality and data appropriate to their assigned roles.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with valuable reconnaissance data that can be leveraged for further attacks. The exposure of email addresses creates opportunities for social engineering campaigns, phishing attacks, and credential stuffing attempts against users who may have reused passwords across different platforms. Attackers can systematically enumerate users within the system, building comprehensive user directories that could facilitate targeted attacks or be sold on dark web marketplaces. Additionally, the vulnerability affects the overall integrity of the WordPress site's user management system, as it undermines the trust model that relies on proper access controls to protect user privacy and maintain the security boundaries between different user roles within the platform.
The security implications of this vulnerability are particularly concerning given the widespread adoption of WordPress and the Awesome Support plugin, which means that numerous websites could be vulnerable to this attack vector. The fact that this affects all user levels from subscriber upward indicates that even the most basic accounts can be leveraged to gather information about other users, creating a potential escalation path for attackers who may begin with low-privilege accounts. Organizations relying on this plugin for customer support services face heightened risks, as the exposure of user email addresses could lead to privacy violations and potential compliance issues under data protection regulations such as GDPR or CCPA.
Mitigation strategies should focus on immediate patching of the affected plugin to version 6.1.8 or later, which addresses the missing capability check in the wpas_get_users() function. Administrators should also implement additional security measures including monitoring for unusual AJAX requests to the plugin endpoints, implementing rate limiting to prevent automated enumeration attacks, and ensuring that user roles are properly configured with the minimum necessary permissions. Network-level protections such as web application firewalls can help detect and block suspicious requests to the vulnerable AJAX endpoint, while regular security audits should verify that no other similar authorization flaws exist within the WordPress installation or its plugins. The vulnerability also underscores the importance of proper security testing practices, including capability verification in AJAX endpoints, as recommended by the OWASP Top Ten and NIST cybersecurity frameworks. Organizations should also consider implementing principle of least privilege enforcement through proper role configuration and regular access reviews to minimize the impact of such vulnerabilities.