Insecure Direct Object Reference in SupportCandy Plugin for WordPress
CVE-2026-1251

5.4MEDIUM

Key Information:

Vendor

WordPress
Status
Supportcandy – Helpdesk & Customer Support Ticket System
Vendor
CVE Published:
31 January 2026

What is CVE-2026-1251?

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is affected by an Insecure Direct Object Reference vulnerability due to insufficient validation of user-controlled keys in the 'add_reply' function. This allows authenticated users with subscriber-level access or above to manipulate attachment IDs in the 'description_attachments' parameter. Consequently, attackers can gain unauthorized access to file attachments uploaded by other users, reassigning them to their own support tickets while obstructing the original owners' access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SupportCandy – Helpdesk & Customer Support Ticket System * <= 3.4.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/supportcandy/t...
https://plugins.trac.wordpress.org/changeset/3448376/

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Theklis Stefani
JSON
.