{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5957", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-09T19:40:09.044Z", "datePublished": "2025-07-08T04:22:59.401Z", "dateUpdated": "2026-04-08T17:33:39.434Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:39.434Z"}, "affected": [{"vendor": "rcatheme", "product": "Guest Support", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Guest Support \u2013 Complete customer support ticket system for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteMassTickets' function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete arbitrary support tickets."}], "title": "Guest Support \u2013 Complete customer support ticket system for WordPress <= 1.2.2 - Missing Authorization to Unauthenticated Ticket Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6e5dde2-f9f9-4a64-9174-e5e6e9fe1b23?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/ajax.php#L133"}, {"url": "https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/class-dbquery.php#L736"}, {"url": "https://plugins.trac.wordpress.org/changeset/3322664/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Amin Beheshti"}], "timeline": [{"time": "2025-06-26T15:22:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-08T17:55:50.440683Z", "id": "CVE-2025-5957", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-08T17:58:44.566Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5957", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-08T17:55:50.440683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-08T17:56:23.396Z"}}], "cna": {"title": "Guest Support \u2013 Complete customer support ticket system for WordPress <= 1.2.2 - Missing Authorization to Unauthenticated Ticket Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Amin Beheshti"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "rcatheme", "product": "Guest Support", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-26T15:22:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6e5dde2-f9f9-4a64-9174-e5e6e9fe1b23?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/ajax.php#L133"}, {"url": "https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/class-dbquery.php#L736"}, {"url": "https://plugins.trac.wordpress.org/changeset/3322664/"}], "descriptions": [{"lang": "en", "value": "The Guest Support \u2013 Complete customer support ticket system for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteMassTickets' function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete arbitrary support tickets."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:39.434Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5957", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:39.434Z", "dateReserved": "2025-06-09T19:40:09.044Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-08T04:22:59.401Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Guest Support \u2013 Complete customer support ticket system for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteMassTickets' function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete arbitrary support tickets."}, {"lang": "es", "value": "El complemento Guest Support \u2013 Complete customer support ticket system for WordPress para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a la falta de comprobaci\u00f3n de la funci\u00f3n \"deleteMassTickets\" en todas las versiones hasta la 1.2.2 incluida. Esto permite que atacantes no autenticados eliminen tickets de soporte arbitrarios."}], "id": "CVE-2025-5957", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-08T05:15:30.660", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/ajax.php#L133"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/class-dbquery.php#L736"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3322664/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6e5dde2-f9f9-4a64-9174-e5e6e9fe1b23?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:50:16.400054+00:00", "value": {"mitigation_remediation": ["Update the Guest Support plugin to the latest available version.", "Limit access to the plugin\u2019s AJAX endpoints by configuring WordPress or the plugin\u2019s settings to require authentication before allowing delete operations.", "If possible, review server logs for unexpected deleteMassTickets calls and restore deleted tickets from backup while monitoring for additional exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Ticket Deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Guest Support plugin from rcatheme, including all releases up to and including version 1.2.2. No other products are known to be affected.", "description_and_impact": "The Guest Support WordPress plugin has a missing capability check on the deleteMassTickets function, allowing unauthenticated users to delete any support ticket. This flaw results in loss of customer support data and undermines the integrity of the ticketing system. The vulnerability is categorized as a missing authorization weakness (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1\u202f% shows a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by invoking the deleteMassTickets AJAX endpoint without authentication, thereby deleting arbitrary tickets."}}}}, "created": "2026-04-21T20:00:25.892888+00:00", "updated": "2026-04-21T20:00:25.892902+00:00", "vendors": []}