CVE-2025-5957 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Guest Support – Complete customer support ticket system plugin for WordPress, developed by rcatheme. The vulnerability exists in all versions up to and including 1.2.2 due to the absence of a capability check in the 'deleteMassTickets' function. This function allows deletion of multiple support tickets but does not verify whether the requester is authorized to perform this action. Consequently, unauthenticated attackers can invoke this function remotely over the network to delete arbitrary support tickets, leading to unauthorized data modification. The vulnerability does not affect confidentiality or availability directly but compromises data integrity by allowing deletion of support tickets without permission. The CVSS 3.1 base score is 5.3, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). No known exploits have been reported in the wild, and no official patches or updates have been released as of the publication date. The vulnerability poses a risk to organizations relying on this plugin for customer support ticket management, potentially disrupting support workflows and causing loss of critical customer interaction data.

The primary impact of CVE-2025-5957 is unauthorized deletion of customer support tickets, which can severely disrupt customer service operations. Loss of ticket data integrity may lead to unresolved customer issues, reduced customer satisfaction, and potential reputational damage. Organizations may face operational challenges in tracking and managing support requests, especially if ticket data is critical for compliance or audit purposes. While the vulnerability does not directly compromise confidentiality or availability, the integrity loss can indirectly affect business continuity and trust. Since exploitation requires no authentication and no user interaction, the attack surface is broad, increasing the likelihood of opportunistic attacks. The absence of known exploits currently limits immediate widespread impact, but the vulnerability remains a significant risk until patched. Organizations using this plugin in sectors such as e-commerce, IT services, and customer support are particularly vulnerable to operational disruptions.

To mitigate CVE-2025-5957, organizations should immediately audit their WordPress installations to identify if the Guest Support plugin version 1.2.2 or earlier is in use. Until an official patch is released, administrators should consider disabling the plugin to prevent exploitation. If disabling is not feasible, restrict access to the WordPress admin area and plugin endpoints using network-level controls such as IP whitelisting or web application firewalls (WAFs) configured to block unauthorized requests targeting the 'deleteMassTickets' function. Implement strict role-based access controls within WordPress to limit plugin management capabilities to trusted users only. Monitor logs for unusual deletion activity or unauthorized access attempts. Stay informed on vendor updates and apply patches promptly once available. Additionally, maintain regular backups of support ticket data to enable recovery in case of data loss. Consider deploying intrusion detection systems (IDS) to detect exploitation attempts targeting this vulnerability.