SupportCandy – Helpdesk & Customer Support Ticket System < 3.4.5 – Authenticated (Subscriber+) Insecure Direct Object Reference | CVE 2026-1251 | Plugin Vulnerabilities

Description

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners.

Affects Plugins

Fixed in 3.4.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Theklis

Verified

No

WPVDB ID

e15e2bc2-e17c-43f0-9b82-ead348847910

Timeline

Publicly Published

2026-01-23 (about 3 months ago)

Added

2026-01-30 (about 3 months ago)

Last Updated

2026-01-31 (about 3 months ago)

Other

Published

Title

Published

2023-07-10

Title

WooCommerce Ship to Multiple Addresses < 3.8.6 - Customer+ Shipping Address Update

Published

2026-04-23

Title

Maxi Blocks < 2.1.9 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter

Published

2026-03-10

Title

Happy Addons for Elementor < 3.21.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions

Published

2024-12-05

Title

XLTab – Accordions and Tabs for Elementor Page Builder < 1.5 - Authenticated (Contributor+) Post Disclosure

Published

2025-06-05

Title

Password Policy Manager < 2.0.5 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover