CVE-2025-10658 is an authentication bypass vulnerability identified in the SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress, specifically in versions up to and including 3.3.7. The root cause is the absence of rate limiting on the one-time password (OTP) verification mechanism used for guest login. The OTP is a 6-digit code intended to authenticate users before granting access to customer support tickets. Without rate limiting, an unauthenticated attacker can perform brute force attacks against the OTP verification endpoint, systematically trying all possible 6-digit combinations (1,000,000 possibilities) until the correct code is found. This allows the attacker to bypass authentication controls and gain unauthorized access to potentially sensitive customer support tickets, exposing confidential information and possibly enabling further exploitation or social engineering. The vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The CVSS v3.1 base score is 6.5, indicating a medium severity level, with attack vector as network (remote), no privileges required, no user interaction needed, and limited impact on confidentiality and integrity but no impact on availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions of the plugin up to 3.3.7, which is widely used in WordPress environments for customer support ticket management.

The primary impact of this vulnerability is unauthorized access to customer support tickets, which can contain sensitive personal and business information. This compromises confidentiality and integrity of data managed by the SupportCandy plugin. Attackers could leverage this access to gather intelligence, conduct social engineering attacks, or escalate privileges within the affected organization. Although availability is not directly impacted, the breach of sensitive data can lead to reputational damage, regulatory penalties (especially under data protection laws like GDPR), and loss of customer trust. Organizations relying on SupportCandy for customer support are at risk of data leakage and potential compliance violations. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk for organizations with publicly accessible WordPress sites using this plugin.

To mitigate this vulnerability, organizations should immediately implement rate limiting on the OTP verification endpoint to restrict the number of attempts per IP address or user session, effectively preventing brute force attacks. If possible, update the SupportCandy plugin to a patched version once released by the vendor. In the absence of an official patch, consider temporarily disabling guest login via OTP or replacing it with more secure authentication mechanisms such as multi-factor authentication with stronger factors. Monitoring and logging OTP verification attempts can help detect brute force activity early. Additionally, applying web application firewall (WAF) rules to block suspicious repeated OTP verification requests can provide a protective layer. Educate support staff to recognize signs of unauthorized access and review access logs regularly. Finally, ensure that sensitive ticket data is encrypted at rest and access controls are enforced within the support system to limit damage in case of compromise.