CVE-2026-1251
📋 TL;DR
This vulnerability in the SupportCandy WordPress plugin allows authenticated attackers with subscriber-level access or higher to steal file attachments from other users' support tickets. Attackers can specify arbitrary attachment IDs to re-associate files with their own tickets, removing access from original owners. All WordPress sites using SupportCandy plugin versions up to 3.4.4 are affected.
💻 Affected Systems
- SupportCandy – Helpdesk & Customer Support Ticket System for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive files containing PII, financial data, or proprietary information are stolen and potentially leaked publicly, leading to data breaches, regulatory fines, and reputational damage.
Likely Case
Attackers steal attachments containing sensitive information from support tickets, potentially accessing customer data, internal documents, or other confidential materials uploaded by users.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized access to specific file attachments rather than full system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is well-documented with code references available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.5 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3448376/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find SupportCandy plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 3.4.5+ from WordPress plugin repository and manually update
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the SupportCandy plugin until patched
wp plugin deactivate supportcandy
Restrict user roles
allTemporarily limit subscriber-level access to ticket creation/management
🧯 If You Can't Patch
- Implement web application firewall rules to block requests containing suspicious attachment ID manipulation patterns
- Enable detailed logging of all file attachment operations and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → SupportCandy → Version. If version is 3.4.4 or lower, you are vulnerable.Check Version:
wp plugin get supportcandy --field=versionVerify Fix Applied:
After updating, verify version is 3.4.5 or higher. Test that authenticated users cannot access attachments from tickets they don't own.📡 Detection & Monitoring
Log Indicators:
- Multiple failed attachment access attempts from same user
- Unusual attachment ID patterns in requests
- User accessing attachments from tickets they don't own
Network Indicators:
- HTTP POST requests to add_reply endpoint with manipulated description_attachments parameter
SIEM Query:
source="wordpress" AND (uri_path="*/wp-admin/admin-ajax.php*" OR uri_path="*/wp-json/*") AND (param="description_attachments" OR param="attachment_id") AND status=200