Skip to main content

Supportcandy

5 CVEs product

Monthly

CVE-2026-57711 MEDIUM This Month

Stored cross-site scripting in the SupportCandy WordPress plugin (versions through 3.4.8) allows a low-privileged authenticated attacker to inject persistent malicious scripts that execute in the browser of any user - likely an administrator or support agent - who subsequently views the tainted content. The scope change (S:C in CVSS) reflects that injected script breaks out of the plugin's trust boundary and runs in the victim's full browser session, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Supportcandy
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2023-2805 HIGH POC This Week

The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Supportcandy
NVD WPScan
CVSS 3.1
7.2
EPSS
0.9%
CVE-2023-2719 HIGH POC This Week

The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Supportcandy
NVD WPScan
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-1730 CRITICAL POC THREAT Act Now

The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Supportcandy
NVD WPScan
CVSS 3.1
9.8
EPSS
40.6%
CVE-2019-11223 CRITICAL POC Act Now

An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress RCE Supportcandy
NVD
CVSS 3.0
9.8
EPSS
8.8%
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in the SupportCandy WordPress plugin (versions through 3.4.8) allows a low-privileged authenticated attacker to inject persistent malicious scripts that execute in the browser of any user - likely an administrator or support agent - who subsequently views the tainted content. The scope change (S:C in CVSS) reflects that injected script breaks out of the plugin's trust boundary and runs in the victim's full browser session, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Supportcandy
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Supportcandy
NVD WPScan
EPSS 1% CVSS 8.8
HIGH POC This Week

The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Supportcandy
NVD WPScan
EPSS 41% CVSS 9.8
CRITICAL POC THREAT Act Now

The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Supportcandy
NVD WPScan
EPSS 9% CVSS 9.8
CRITICAL POC Act Now

An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress RCE +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy