CVE-2025-10658
BaseFortify
Publication date: 2025-09-20
Last updated on: 2025-09-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| supportcandy | helpdesk_and_customer_support_ticket_system | * |
| supportcandy | helpdesk_and_customer_support_ticket_system | 3.3.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the SupportCandy β Helpdesk & Customer Support Ticket System plugin for WordPress allows unauthenticated attackers to bypass authentication by brute forcing the 6-digit OTP code used for guest login. This is possible because there is no rate limiting on the OTP verification process, enabling attackers to gain unauthorized access to customer support tickets.
How can this vulnerability impact me? :
This vulnerability can allow attackers to gain unauthorized access to customer support tickets, potentially exposing sensitive customer information. This unauthorized access could lead to data leakage, privacy violations, and misuse of support ticket data.