CVE-2025-10658 is a medium severity vulnerability affecting the SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress, developed by psmplugins. The vulnerability arises from improper restriction of excessive authentication attempts (CWE-307) on the One-Time Password (OTP) verification mechanism used for guest login. Specifically, all versions up to and including 3.3.7 lack rate limiting on OTP verification, allowing unauthenticated attackers to perform brute force attacks against the 6-digit OTP code. Because the OTP is only six digits, the total possible combinations are 1,000,000, which is feasible to brute force if no rate limiting or lockout mechanisms are in place. Successful exploitation enables attackers to bypass authentication controls and gain unauthorized access to customer support tickets. This compromises confidentiality and integrity of sensitive customer data and support interactions. The vulnerability is remotely exploitable over the network without any privileges or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the ease of exploitation and the sensitive nature of the data accessible through the plugin make this a significant concern for organizations using SupportCandy. The CVSS v3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No patches or fixes have been linked yet, so affected organizations must take immediate mitigating actions to reduce risk.

For European organizations using the SupportCandy plugin on WordPress sites, this vulnerability poses a direct threat to the confidentiality and integrity of customer support data. Unauthorized access to support tickets can lead to exposure of personally identifiable information (PII), sensitive business communications, and potentially credentials or other confidential information shared during support interactions. This can result in reputational damage, regulatory non-compliance (notably under GDPR), and potential financial losses. The ability to bypass authentication without user interaction or privileges means attackers can automate attacks at scale, increasing the likelihood of compromise. Organizations relying on SupportCandy for customer support risk data breaches that could affect customers across Europe, potentially triggering mandatory breach notifications and fines. Additionally, attackers gaining foothold through this vector could pivot to further attacks within the affected environment. The lack of known exploits in the wild currently provides a window for proactive defense, but the vulnerability’s characteristics suggest it could be weaponized quickly once discovered by malicious actors.

1. Immediate mitigation should include implementing custom rate limiting or throttling on OTP verification endpoints at the web server or application firewall level to prevent brute force attempts. 2. Monitor logs for repeated failed OTP attempts and implement alerting for suspicious activity. 3. Temporarily disable guest login via OTP if feasible until an official patch is released. 4. Enforce multi-factor authentication (MFA) for all user roles where possible, reducing reliance on OTP for guest access. 5. Regularly update the SupportCandy plugin to the latest version once a patch addressing this vulnerability is released. 6. Conduct a thorough audit of access logs and support ticket data for signs of unauthorized access. 7. Educate support staff to recognize and report suspicious activity. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block brute force patterns against OTP endpoints. 9. Engage with the vendor or community to obtain timely patches or workarounds. These steps go beyond generic advice by focusing on immediate compensating controls and proactive monitoring tailored to the nature of this vulnerability.