{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1251", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T19:04:14.485Z", "datePublished": "2026-01-31T06:39:23.182Z", "dateUpdated": "2026-04-08T17:05:35.339Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:35.339Z"}, "affected": [{"vendor": "psmplugins", "product": "SupportCandy \u2013 Helpdesk & Customer Support Ticket System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SupportCandy \u2013 Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners."}], "title": "SupportCandy \u2013 Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603"}, {"url": "https://plugins.trac.wordpress.org/changeset/3448376/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Theklis Stefani"}], "timeline": [{"time": "2026-01-20T19:19:37.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-23T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T17:55:47.971261Z", "id": "CVE-2026-1251", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T17:55:57.069Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1251", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T17:55:47.971261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T17:55:53.658Z"}}], "cna": {"title": "SupportCandy \u2013 Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference", "credits": [{"lang": "en", "type": "finder", "value": "Theklis Stefani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "psmplugins", "product": "SupportCandy \u2013 Helpdesk & Customer Support Ticket System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.4.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-20T19:19:37.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-23T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603"}, {"url": "https://plugins.trac.wordpress.org/changeset/3448376/"}], "descriptions": [{"lang": "en", "value": "The SupportCandy \u2013 Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:35.339Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1251", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:35.339Z", "dateReserved": "2026-01-20T19:04:14.485Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-31T06:39:23.182Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SupportCandy \u2013 Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners."}, {"lang": "es", "value": "El plugin SupportCandy \u2013 Helpdesk &amp; Customer Support Ticket System para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 3.4.4, inclusive, a trav\u00e9s de la funci\u00f3n 'add_reply' debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, roben archivos adjuntos cargados por otros usuarios al especificar IDs de adjuntos arbitrarios en el par\u00e1metro 'description_attachments', re-asociando esos archivos a sus propios tickets y eliminando el acceso de los propietarios originales."}], "id": "CVE-2026-1251", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-31T07:16:02.273", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3448376/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:22:16.238682+00:00", "value": {"mitigation_remediation": ["Update the SupportCandy plugin to the latest available version.", "Remove any tickets that were created by attackers and contain stolen attachments to deny further unauthorized access.", "Enforce strict server\u2011side validation of attachment identifiers so that only the original uploader can associate a file with a ticket."], "summary": {"action": "Apply Patch", "impact": "Unrestricted access to file attachments via insecure direct object reference"}, "threat_synthesis": {"affected_systems": "All installations of the SupportCandy WordPress plugin with a version of 3.4.4 or earlier are affected. The vulnerability is present in every supported build of that version range and is not limited to a single configuration or deployment scenario.", "description_and_impact": "The SupportCandy Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to an insecure direct object reference, a CWE\u2011639 flaw. The defect exists in the add_reply function where the description_attachments parameter is not validated against a user\u2011controlled key. An authenticated user with subscriber-level privileges or higher can supply arbitrary attachment IDs, causing the system to re\u2011associate those files with the attacker\u2019s tickets and revoke the original owners\u2019 access. This results in unauthorized disclosure or removal of user\u2011uploaded documents, compromising confidentiality and potentially availability of attachments.", "risk_and_exploitability": "The CVSS score of 5.4 classifies the issue as moderate severity, but the EPSS score of less than 1% indicates a low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been leveraged by large\u2011scale attackers. Exploitation requires authenticated access to the WordPress site with at least subscriber privileges, so the potential impact is confined to users who already have login capabilities. Nonetheless, the ability to steal and reallocate sensitive attachments warrants timely remediation."}}}}, "created": "2026-02-02T09:26:41.906063+00:00", "updated": "2026-04-16T01:30:20.310041+00:00", "vendors": ["psmplugins", "psmplugins$PRODUCT$supportcandy_\u2013_helpdesk_&_customer_support_ticket_system", "wordpress", "wordpress$PRODUCT$wordpress"]}