Insecure Direct Object Reference in Awesome Support - WordPress HelpDesk & Support Plugin
CVE-2026-4654

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Awesome Support – WordPress Helpdesk & Support Plugin
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-4654?

The Awesome Support - WordPress HelpDesk & Support Plugin is susceptible to an Insecure Direct Object Reference vulnerability. This flaw, present in version 6.3.7 and earlier, arises from the wpas_get_ticket_replies_ajax() function failing to adequately verify user permissions for accessing specific support tickets. As a result, authenticated users with subscriber-level access or higher can exploit this vulnerability to retrieve sensitive data from all support tickets by manipulating the ticket_id parameter, potentially compromising user privacy and data integrity.

Affected Version(s)

Awesome Support – WordPress HelpDesk & Support Plugin 0 <= 6.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/awesome-suppor...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Michael Iden

CVE-2026-4654 Data

JSON