Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
AV:N and AC:L confirmed by web delivery; PR:L because ticket submission requires a user account; UI:R for admin to view ticket; S:C for browser scope change; A:N as XSS does not typically cause availability impact absent specific DoS behavior.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PSM Plugins SupportCandy supportcandy allows Stored XSS.This issue affects SupportCandy: from n/a through <= 3.4.8.
AnalysisAI
Stored cross-site scripting in the SupportCandy WordPress plugin (versions through 3.4.8) allows a low-privileged authenticated attacker to inject persistent malicious scripts that execute in the browser of any user - likely an administrator or support agent - who subsequently views the tainted content. The scope change (S:C in CVSS) reflects that injected script breaks out of the plugin's trust boundary and runs in the victim's full browser session, enabling session hijacking, credential theft, or unauthorized administrative actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a low-privilege authenticated account in the WordPress or SupportCandy environment (PR:L per CVSS vector) - typically a registered site user or customer who can submit support tickets. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (Medium) is broadly appropriate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user - such as a registered WordPress customer or front-end support portal user - submits a new support ticket or reply containing a crafted JavaScript payload (e.g., a script tag or event handler in a text field) that the plugin fails to sanitize before storing. When a support agent or WordPress administrator opens the ticket in the admin dashboard, the stored script executes in their browser context, silently exfiltrating their session cookie or performing actions (such as creating a rogue admin account) on their behalf. … |
| Remediation | Administrators should update the SupportCandy plugin to a version above 3.4.8 immediately; the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/supportcandy/vulnerability/wordpress-supportcandy-plugin-3-4-8-cross-site-scripting-xss-vulnerability?_s_id=cve should be consulted for the specific patched release version, which was not explicitly stated in the available input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Supportcandy
View allThe SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL stateme
An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers
The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in
The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43366