CVE-2025-10658 is a medium-severity vulnerability affecting the SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress, developed by psmplugins. The vulnerability arises from improper restriction of excessive authentication attempts (CWE-307) on the plugin's OTP (One-Time Password) verification mechanism for guest logins. Specifically, the plugin lacks rate limiting on the 6-digit OTP verification process, allowing unauthenticated attackers to perform brute force attacks against the OTP input. Since the OTP is only 6 digits, the brute force space is limited to 1 million possibilities, which can be tested rapidly without any throttling or lockout mechanisms. This flaw enables attackers to bypass authentication controls and gain unauthorized access to customer support tickets, potentially exposing sensitive customer information and support interactions. The vulnerability affects all versions up to and including 3.3.7 of the plugin. The CVSS v3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality and integrity but no availability impact. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed on September 20, 2025.

For European organizations using WordPress sites with the SupportCandy plugin, this vulnerability poses a significant risk to the confidentiality and integrity of customer support data. Unauthorized access to support tickets can lead to exposure of personally identifiable information (PII), sensitive business communications, and potentially confidential customer data. This could result in regulatory non-compliance under GDPR, reputational damage, and loss of customer trust. Since the vulnerability allows unauthenticated attackers to bypass authentication without user interaction, the risk is elevated, especially for organizations relying on SupportCandy for critical customer support workflows. The impact is particularly concerning for sectors handling sensitive data such as finance, healthcare, and telecommunications. However, the lack of availability impact means service disruption is unlikely. The absence of known exploits in the wild provides a window for mitigation before active exploitation occurs.

European organizations should immediately audit their WordPress installations to identify the presence and version of the SupportCandy plugin. Until an official patch is released, administrators should consider disabling guest login functionality or the SupportCandy plugin entirely if feasible. Implementing web application firewall (WAF) rules to detect and block rapid repeated OTP verification attempts can help mitigate brute force attacks. Monitoring logs for unusual authentication attempts and setting up alerting for repeated OTP failures is advised. Organizations should also enforce multi-factor authentication (MFA) for administrative access to WordPress and limit access to support ticket data to authorized personnel only. Once a patch becomes available, prompt application of updates is critical. Additionally, reviewing and minimizing the exposure of sensitive data in support tickets can reduce potential damage from unauthorized access.