Skip to main content

SupportCandy CVE-2026-54826

| EUVDEUVD-2026-39673 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 audit@patchstack.com GHSA-6mpj-cp6h-6c54
7.6
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
7.6 HIGH

Network-reachable IDOR needs only a Subscriber account (PR:L) and no interaction; primary impact is reading others' ticket data (C:H) with limited write/availability effect (I:L/A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:33 vuln.today

DescriptionCVE.org

Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions.

AnalysisAI

Insecure Direct Object Reference in the SupportCandy WordPress helpdesk plugin (versions 3.4.6 and earlier) lets an authenticated low-privilege user (Subscriber) access support tickets and data belonging to other users by manipulating object identifiers, effectively bypassing authorization controls. The flaw carries a CVSS 3.1 base score of 7.6 (PR:L) and was reported by Patchstack; no public exploit code or active exploitation has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Subscriber account on target WordPress site
Delivery
Authenticate to SupportCandy plugin
Exploit
Manipulate ticket/object ID parameter
Execution
Server returns other users' ticket data
Impact
Exfiltrate exposed support records

Vulnerability AssessmentAI

Exploitation Requires an authenticated WordPress account at the Subscriber level or higher on a site running SupportCandy <= 3.4.6 (per CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent and point to a genuine but conditional risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers (or obtains) a Subscriber-level account on a WordPress site running SupportCandy 3.4.6, then logs in and issues requests to the plugin's ticket-handling endpoints while incrementing or substituting the ticket/object ID parameter. Because the plugin does not verify ownership, the attacker reads other customers' support tickets, messages, and any attached personal data. …
Remediation No vendor-released patch version was identified in the provided data; the advisory denotes affected versions as 3.4.6 and below, so administrators should upgrade SupportCandy to the latest available release above 3.4.6 from the WordPress plugin repository and confirm the fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/supportcandy/vulnerability/wordpress-supportcandy-plugin-3-4-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve) before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory WordPress installations running SupportCandy ≤3.4.6; audit support ticket access logs for suspicious low-privilege account activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54826 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy