WordPress Plugin Vulnerabilities

Support Genix < 1.4.12 - Authenticated (Subscriber+) Insecure Direct Object Reference

Description

The Support Genix – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.11 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
support-genix-lite
Fixed in 1.4.12

References

CVE
CVE-2025-30777
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cc92354-55f4-4799-a974-14fa6fb584b9

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
astra.r3verii
Verified
No
WPVDB ID
62ddd667-c6d0-4a2e-a047-d398f489122c

Timeline

Publicly Published
2025-03-27 (about 1 year ago)
Added
2025-04-03 (about 1 year ago)
Last Updated
2025-04-03 (about 1 year ago)

Other

Published
Title
Published
2024-03-29
Title
Thumbs Rating <= 5.1.0 - Unauthenticated Insecure Direct Object Reference
Published
2024-11-08
Title
Attesa Extra < 1.4.3 - Authenticated (Contributor+) Post Disclosure
Published
2024-11-25
Title
The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure
Published
2026-01-02
Title
Overton <= 1.3 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-12-20
Title
WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference