CVE-2026-0683
Unknown Unknown - Not Provided
SQL Injection in SupportCandy Plugin Allows Data Extraction

Publication date: 2026-01-31

Last updated on: 2026-01-31

Assigner: Wordfence

Description
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-31
Last Modified
2026-01-31
Generated
2026-06-16
AI Q&A
2026-01-31
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0683
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
supportcandy supportcandy to 3.4.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an SQL Injection in the SupportCandy WordPress plugin (up to version 3.4.4) that occurs via the Number-type custom field filter. Due to insufficient escaping and preparation of user-supplied input when using the equals operator, authenticated users with Subscriber-level access or higher can append malicious SQL queries to existing database queries. This allows them to extract sensitive information from the database. [4]

Impact Analysis

The vulnerability allows authenticated users with low-level access (Subscriber and above) to perform unauthorized SQL queries on the database. This can lead to exposure of sensitive information stored in the database, potentially compromising user data and other confidential information managed by the SupportCandy plugin.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing AJAX requests related to the SupportCandy plugin's ticket filtering functionality, specifically those involving the Number-type custom field filter. Since the vulnerability involves SQL Injection via the equals operator on this numeric custom field, you can look for suspicious or malformed SQL payloads in requests made by authenticated users with Subscriber-level access or higher. Commands to detect this might include inspecting HTTP POST requests to AJAX endpoints handling ticket filters, for example using tools like curl or network monitoring tools to capture and analyze requests to the plugin's AJAX actions such as 'get_tickets'. Example command to capture such requests could be: `curl -X POST -d 'action=get_tickets&filters[number_field]=<payload>' https://yourwordpresssite.com/wp-admin/admin-ajax.php --cookie 'wordpress_logged_in=...'` where `<payload>` is a test input to check for SQL injection. Additionally, reviewing logs for unusual database errors or unexpected data exposure related to ticket queries may help detect exploitation attempts. [1, 4]

Mitigation Strategies

Immediate mitigation steps include updating the SupportCandy plugin to version 3.4.5 or later, where the vulnerability has been fixed. Until the update can be applied, restrict or monitor access to the ticket filtering functionality, especially for users with Subscriber-level access or higher. Implement web application firewall (WAF) rules to detect and block suspicious SQL injection attempts targeting the Number-type custom field filter. Additionally, review and tighten user permissions to limit who can access ticket filtering features. Applying security best practices such as input validation and escaping on user-supplied data in custom filters is essential, but the primary recommended action is to upgrade the plugin to the patched version. [3]

Compliance Impact

This vulnerability allows authenticated attackers with Subscriber-level access to perform SQL Injection attacks that can extract sensitive information from the database. Such unauthorized access and data extraction can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches. Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing sensitive user data. [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0683. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart