Search criteria
3 vulnerabilities by psmplugins
CVE-2026-1251 (GCVE-0-2026-1251)
Vulnerability from cvelistv5 – Published: 2026-01-31 06:39 – Updated: 2026-02-02 17:55
VLAI?
Title
SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
Summary
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners.
Severity ?
5.4 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| psmplugins | SupportCandy – Helpdesk & Customer Support Ticket System |
Affected:
* , ≤ 3.4.4
(semver)
|
Credits
Theklis Stefani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T17:55:47.971261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T17:55:57.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System",
"vendor": "psmplugins",
"versions": [
{
"lessThanOrEqual": "3.4.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Theklis Stefani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the \u0027add_reply\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the \u0027description_attachments\u0027 parameter, re-associating those files to their own tickets and removing access from the original owners."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T06:39:23.182Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448376/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T19:19:37.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-23T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System \u003c= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1251",
"datePublished": "2026-01-31T06:39:23.182Z",
"dateReserved": "2026-01-20T19:04:14.485Z",
"dateUpdated": "2026-02-02T17:55:57.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0683 (GCVE-0-2026-0683)
Vulnerability from cvelistv5 – Published: 2026-01-31 05:52 – Updated: 2026-02-02 17:56
VLAI?
Title
SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter
Summary
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| psmplugins | SupportCandy – Helpdesk & Customer Support Ticket System |
Affected:
* , ≤ 3.4.4
(semver)
|
Credits
Supakiad S.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T17:56:44.137189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T17:56:52.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System",
"vendor": "psmplugins",
"versions": [
{
"lessThanOrEqual": "3.4.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T05:52:46.922Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448376/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-07T18:46:59.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System \u003c= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0683",
"datePublished": "2026-01-31T05:52:46.922Z",
"dateReserved": "2026-01-07T18:31:17.181Z",
"dateUpdated": "2026-02-02T17:56:52.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10658 (GCVE-0-2025-10658)
Vulnerability from cvelistv5 – Published: 2025-09-20 06:43 – Updated: 2025-09-22 15:01
VLAI?
Title
SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.7 - Authentication Bypass to Support Session Takeover
Summary
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
Severity ?
6.5 (Medium)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| psmplugins | SupportCandy – Helpdesk & Customer Support Ticket System |
Affected:
* , ≤ 3.3.7
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10658",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-22T15:01:39.741963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T15:01:56.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System",
"vendor": "psmplugins",
"versions": [
{
"lessThanOrEqual": "3.3.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-20T06:43:18.759Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b11670a-f6e4-4555-ab76-4223f0194517?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.3.7/includes/class-wpsc-current-user.php#L820"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.3.7/includes/models/class-wpsc-email-otp.php#L348"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3364335/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-18T05:31:46.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-19T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System \u003c= 3.3.7 - Authentication Bypass to Support Session Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10658",
"datePublished": "2025-09-20T06:43:18.759Z",
"dateReserved": "2025-09-17T21:59:39.750Z",
"dateUpdated": "2025-09-22T15:01:56.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}