CVE-2025-10658: CWE-307 Improper Restriction of Excessive Authentication Attempts in psmplugins SupportCandy – Helpdesk & Customer Support Ticket System
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
AI Analysis
Technical Summary
CVE-2025-10658 is an authentication bypass vulnerability in the SupportCandy WordPress plugin caused by the absence of rate limiting on one-time password (OTP) verification during guest login. Attackers can brute force the 6-digit OTP code without restriction, enabling unauthorized access to customer support tickets. This vulnerability affects all versions up to and including 3.3.7. The weakness is categorized under CWE-307, which involves improper restriction of excessive authentication attempts. The CVSS score of 6.5 reflects a network attack vector with low attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity.
Potential Impact
Successful exploitation allows unauthenticated attackers to bypass authentication controls by brute forcing OTP codes, leading to unauthorized access to customer support tickets. This compromises the confidentiality and integrity of sensitive customer data handled by the SupportCandy plugin. There is no indication of availability impact. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix is currently documented, users should monitor the vendor's communications for updates. Until a fix is available, consider implementing external rate limiting or additional authentication controls on the OTP verification process to reduce brute force risk.
CVE-2025-10658: CWE-307 Improper Restriction of Excessive Authentication Attempts in psmplugins SupportCandy – Helpdesk & Customer Support Ticket System
Description
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-10658 is an authentication bypass vulnerability in the SupportCandy WordPress plugin caused by the absence of rate limiting on one-time password (OTP) verification during guest login. Attackers can brute force the 6-digit OTP code without restriction, enabling unauthorized access to customer support tickets. This vulnerability affects all versions up to and including 3.3.7. The weakness is categorized under CWE-307, which involves improper restriction of excessive authentication attempts. The CVSS score of 6.5 reflects a network attack vector with low attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity.
Potential Impact
Successful exploitation allows unauthenticated attackers to bypass authentication controls by brute forcing OTP codes, leading to unauthorized access to customer support tickets. This compromises the confidentiality and integrity of sensitive customer data handled by the SupportCandy plugin. There is no indication of availability impact. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix is currently documented, users should monitor the vendor's communications for updates. Until a fix is available, consider implementing external rate limiting or additional authentication controls on the OTP verification process to reduce brute force risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-09-17T21:59:39.750Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68ce4e4eab7f779c79ff311b
Added to database: 9/20/2025, 6:48:46 AM
Last enriched: 4/9/2026, 8:47:14 PM
Last updated: 5/10/2026, 2:43:02 PM
Views: 203
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.