CVE-2026-1251
Insecure Direct Object Reference in SupportCandy Plugin Allows Attachment Theft
Publication date: 2026-01-31
Last updated on: 2026-01-31
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| supportcandy | supportcandy | to 3.4.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in the SupportCandy WordPress plugin (up to version 3.4.4). It occurs in the 'add_reply' function due to missing validation on a user-controlled key. Authenticated users with subscriber-level access or higher can exploit this flaw by specifying arbitrary attachment IDs in the 'description_attachments' parameter. This allows them to steal file attachments uploaded by other users by re-associating those files to their own tickets and removing access from the original owners.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and theft of file attachments between users within the SupportCandy helpdesk system. An attacker with subscriber-level access or above can access and reassign files uploaded by other users to their own tickets, effectively stealing sensitive or private attachments and denying the original owners access to their files. This compromises data confidentiality and user privacy within the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated attacker with subscriber-level access exploiting the 'add_reply' function by specifying arbitrary attachment IDs in the 'description_attachments' parameter to steal file attachments. Detection can involve monitoring for unusual or unauthorized access to attachments or suspicious use of the 'add_reply' function with unexpected attachment IDs. Specific commands are not provided in the resources, but monitoring WordPress logs for AJAX requests to 'add_reply' with 'description_attachments' parameters or using WordPress security plugins to audit user actions may help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the SupportCandy plugin to a version later than 3.4.4 where the vulnerability is fixed. Additionally, restrict subscriber-level users from accessing or modifying attachments if possible, and monitor user activity for suspicious behavior related to ticket replies and attachments. Applying principle of least privilege and ensuring proper validation on user inputs in the plugin can help prevent exploitation. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers with subscriber-level access to steal file attachments uploaded by other users by exploiting insecure direct object references. Such unauthorized access and data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data access and confidentiality. Therefore, the vulnerability negatively impacts compliance by enabling unauthorized data disclosure and potentially compromising user privacy and data security.