CVE-2025-67598 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the SupportCandy plugin developed by PSM Plugins, affecting versions up to and including 3.4.1. CSRF vulnerabilities occur when a web application does not adequately verify that requests made to it originate from an authenticated and intended user, allowing attackers to craft malicious requests that execute actions on behalf of the victim without their consent. In this case, SupportCandy lacks sufficient CSRF protections, enabling attackers to induce authenticated users to unknowingly perform actions such as submitting support tickets or modifying plugin settings. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting a medium severity level. The vector indicates the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The impact is limited to confidentiality (C:L) with no integrity (I:N) or availability (A:N) impact. No known exploits have been reported in the wild, and no official patches have been linked at the time of publication. The vulnerability was publicly disclosed on December 9, 2025. SupportCandy is commonly used as a WordPress plugin for customer support ticketing, making it a target in environments relying on this software for client interaction and issue tracking. The lack of CSRF tokens or similar protections in the plugin's request handling is the root cause of this vulnerability.

For European organizations using SupportCandy, this vulnerability could allow attackers to perform unauthorized actions on behalf of legitimate users, potentially leading to unauthorized submission or modification of support tickets. While the direct impact on confidentiality is limited, attackers might leverage this to gather sensitive information indirectly or disrupt support workflows. The absence of integrity and availability impacts reduces the risk of data tampering or service disruption. However, organizations relying heavily on SupportCandy for customer interaction may face operational inefficiencies or reputational damage if attackers exploit this vulnerability to manipulate support processes. Since exploitation requires user interaction, phishing or social engineering campaigns could be used to trick users into triggering malicious requests. The medium severity rating suggests that while the risk is not critical, it should not be ignored, especially in sectors where customer support data confidentiality is important, such as finance, healthcare, or government services within Europe.

1. Monitor official channels from PSM Plugins and SupportCandy for security patches and apply them promptly once available. 2. Implement web application firewalls (WAF) with rules to detect and block CSRF attack patterns targeting SupportCandy endpoints. 3. Restrict access to SupportCandy administrative interfaces to trusted IP addresses or VPNs where feasible. 4. Educate users about phishing and social engineering tactics to reduce the likelihood of user interaction leading to exploitation. 5. If possible, implement additional CSRF protections at the web server or application level, such as validating Origin and Referer headers for requests to SupportCandy. 6. Review user roles and permissions within WordPress to minimize the number of users with privileges to perform sensitive actions in SupportCandy. 7. Conduct regular security audits and penetration tests focusing on plugin vulnerabilities and CSRF protections. 8. Consider temporary disabling or replacing SupportCandy with alternative support solutions if patches are delayed and risk is deemed unacceptable.