CVE-2025-5957 is a security vulnerability identified in the 'Guest Support – Complete customer support ticket system for WordPress' plugin developed by rcatheme. This plugin is designed to provide a customer support ticketing system within WordPress environments. The vulnerability stems from a missing authorization check (CWE-862) in the 'deleteMassTickets' function, which is responsible for deleting multiple support tickets at once. Specifically, the plugin fails to verify whether the user invoking this function has the necessary permissions to perform mass deletion of tickets. As a result, unauthenticated attackers can exploit this flaw to delete arbitrary support tickets without any authentication or user interaction. The vulnerability affects all versions up to and including 1.2.2. The CVSS v3.1 base score is 5.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) shows that the attack can be performed remotely over the network with low attack complexity, requires no privileges or user interaction, and impacts the integrity of data (ticket deletion) but does not affect confidentiality or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could lead to loss of critical customer support data, undermining trust and operational continuity for organizations relying on this plugin for customer service management.

For European organizations using the Guest Support WordPress plugin, this vulnerability poses a risk of unauthorized deletion of customer support tickets. This can result in loss of important customer communication records, disruption of support workflows, and potential compliance issues, especially under regulations like GDPR where data integrity and auditability are critical. The loss of ticket data can degrade customer service quality and damage organizational reputation. Since the vulnerability allows unauthenticated remote exploitation, attackers could target publicly accessible WordPress sites to delete support tickets en masse without leaving authentication traces. This could be leveraged as part of a broader attack to disrupt business operations or as a denial-of-service against customer support functions. The impact is primarily on data integrity, with no direct confidentiality or availability impact, but the operational consequences can be significant for customer-facing services.

European organizations should immediately audit their WordPress installations to identify if the Guest Support plugin (versions up to 1.2.2) is in use. If found, they should consider disabling the plugin until a security patch is released. Since no patches are currently linked, organizations can implement temporary mitigations such as restricting access to the plugin's endpoints via web application firewalls (WAFs) or server-level access controls to block unauthenticated requests targeting the 'deleteMassTickets' function. Monitoring web server logs for suspicious requests to ticket deletion endpoints can help detect exploitation attempts. Additionally, organizations should enforce strict role-based access controls within WordPress and ensure that plugins are kept up to date. Backup strategies should be reviewed and tested to enable recovery of deleted tickets. Finally, organizations should subscribe to vendor advisories and CVE databases to apply official patches as soon as they become available.