Awesome Support < 6.3.8 – Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter | CVE 2026-4654 | Plugin Vulnerabilities

Description

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.

Affects Plugins

awesome-support

Fixed in 6.3.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8acd-02b715e26f33

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Michael Iden (Mickhat)

Verified

No

WPVDB ID

977a0f20-3c54-46a5-8f79-2794cb5e192e

Timeline

Publicly Published

2026-04-07 (about 1 month ago)

Added

2026-04-07 (about 1 month ago)

Last Updated

2026-04-08 (about 1 month ago)

Other

Published

Title

Published

2024-04-22

Title

ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.0 - Insecure Direct Object Reference

Published

2026-03-12

Title

Appointment Booking Calendar < 1.6.10.0 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure

Published

2023-01-17

Title

WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

Published

2024-12-24

Title

Avada Builder < 3.11.13 - Authenticated (Contributor+) Protected Post Disclosure

Published

2024-12-12

Title

WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin < 1.0.28 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion