{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0683", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T18:31:17.181Z", "datePublished": "2026-01-31T05:52:46.922Z", "dateUpdated": "2026-04-08T17:13:40.679Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:40.679Z"}, "affected": [{"vendor": "psmplugins", "product": "SupportCandy \u2013 Helpdesk & Customer Support Ticket System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SupportCandy \u2013 Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "SupportCandy \u2013 Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265"}, {"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288"}, {"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371"}, {"url": "https://plugins.trac.wordpress.org/changeset/3448376/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-01-07T18:46:59.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T17:56:44.137189Z", "id": "CVE-2026-0683", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T17:56:52.091Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0683", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T17:56:44.137189Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T17:56:49.263Z"}}], "cna": {"title": "SupportCandy \u2013 Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "psmplugins", "product": "SupportCandy \u2013 Helpdesk & Customer Support Ticket System", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.4.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-07T18:46:59.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-30T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265"}, {"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288"}, {"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371"}, {"url": "https://plugins.trac.wordpress.org/changeset/3448376/"}], "descriptions": [{"lang": "en", "value": "The SupportCandy \u2013 Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-31T05:52:46.922Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0683", "state": "PUBLISHED", "dateUpdated": "2026-02-02T17:56:52.091Z", "dateReserved": "2026-01-07T18:31:17.181Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-31T05:52:46.922Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SupportCandy \u2013 Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El plugin SupportCandy \u2013 Helpdesk &amp; Customer Support Ticket System para WordPress es vulnerable a inyecci\u00f3n SQL a trav\u00e9s del filtro de campo personalizado de tipo num\u00e9rico en todas las versiones hasta la 3.4.4, inclusive. Esto se debe a un escape insuficiente en el valor del operando proporcionado por el usuario al usar el operador de igualdad y a la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior (clientes), a\u00f1adan consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n sensible de la base de datos."}], "id": "CVE-2026-0683", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-31T06:16:03.610", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3448376/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:56:04.862252+00:00", "value": {"mitigation_remediation": ["Upgrade SupportCandy to the latest available version, which removes the flawed filtering logic and implements proper query parameterization.", "If an update is not immediately possible, remove or downgrade any Subscriber accounts that are not required to access the ticket list, thereby denying the minimum privilege needed to exploit the flaw.", "Deploy a Web Application Firewall or equivalent input validation rule that blocks SQL injection patterns in the request parameters of the SupportCandy admin pages, mitigating the risk until a patch can be applied."], "summary": {"action": "Apply Patch", "impact": "SQL Injection via Number Field Filter"}, "threat_synthesis": {"affected_systems": "Any site running the SupportCandy plugin version 3.4.4 or earlier, on a WordPress installation, is affected. The issue affects the default numbered custom fields used in ticket filtering. Affected users include any WordPress accounts with at least Subscriber rights, which is the minimum requirement to access the ticket list and apply filters.", "description_and_impact": "The SupportCandy \u2013 Helpdesk & Customer Support Ticket System plugin for WordPress has a SQL injection flaw in its number-type custom field filter. The vulnerability arises because the plugin fails to properly escape user-supplied values when the equals operator is used, allowing attackers with authenticated access at the Subscriber level or higher to inject SQL code. This results in the ability to append arbitrary SELECT statements to the original query, thereby exposing sensitive data stored in the WordPress database. The weakness is a classic input validation error (CWE\u201189).", "risk_and_exploitability": "The CVSS score is 6.5, indicating a moderate severity, and the EPSS score is below 1%, suggesting a low to moderate likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must already authenticate with sufficient privileges and then craft a filter query in the plugin\u2019s interface to inject malicious SQL. Once executed, the attacker can read arbitrary tables or drop data, depending on the injected statement. No additional access or local execution is required beyond the existing account privileges."}}}}, "created": "2026-02-02T09:26:42.600880+00:00", "updated": "2026-04-15T19:00:12.308121+00:00", "vendors": ["psmplugins", "psmplugins$PRODUCT$supportcandy_\u2013_helpdesk_&_customer_support_ticket_system", "wordpress", "wordpress$PRODUCT$wordpress"]}