PSM Plugins SupportCandy CVE-2026-25321
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in PSM Plugins SupportCandy supportcandy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SupportCandy: from n/a through <= 3.4.4.
AnalysisAI
Insufficient access control in SupportCandy plugin versions 3.4.4 and earlier allows unauthenticated remote attackers to modify data through improperly configured security permissions. This vulnerability affects WordPress installations using the vulnerable plugin, enabling attackers to perform unauthorized actions without requiring authentication. No patch is currently available for this issue.
Technical ContextAI
Classified as CWE-862 (Missing Authorization). Affects PSM Plugins SupportCandy supportcandy. Missing Authorization vulnerability in PSM Plugins SupportCandy supportcandy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SupportCandy: from n/a through <= 3.4.4.
Affected ProductsAI
Product: PSM Plugins SupportCandy supportcandy.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today