The Awesome Support WordPress HelpDesk & Support Plugin suffers from an authorization bypass vulnerability (CWE-862) due to missing capability checks in the 'wpas_do_mr_activate_user' function. This function fails to verify that the user has permission to modify other users' roles. Additionally, a nonce reuse issue exists where public registration nonces are reused for privileged actions because all actions share the same nonce namespace. An unauthenticated attacker who can access the public registration or submit ticket page can extract a valid nonce and use the 'wpas-do=mr_activate_user' action with a controlled 'user_id' parameter to demote administrators to low-privilege roles. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact.

The vulnerability allows unauthenticated attackers to demote administrator users to lower privilege roles, potentially reducing their ability to manage the WordPress site or plugin. This could lead to a loss of administrative control and weaken the security posture of the affected WordPress installation. There is no direct confidentiality impact, but integrity and availability impacts are low. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the public registration and submit ticket pages if possible, and monitor for suspicious activity related to user role changes. Avoid relying on the plugin's current authorization checks for critical user role modifications.