CVE-2025-67598 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the SupportCandy plugin developed by PSM Plugins, affecting all versions up to 3.4.1. CSRF vulnerabilities occur when a web application does not sufficiently verify that requests made to it originate from legitimate users, allowing attackers to trick authenticated users into submitting unintended requests. In this case, an attacker can craft malicious web content that, when visited by an authenticated user of SupportCandy, causes the plugin to perform unauthorized actions such as modifying support tickets, changing configurations, or other administrative tasks supported by the plugin. The vulnerability does not require the attacker to have direct access or credentials but relies on the victim being logged in and visiting a malicious site or link. No CVSS score has been assigned yet, and no public exploits have been reported, but the risk remains significant due to the nature of CSRF attacks. SupportCandy is commonly used in WordPress environments to manage customer support tickets, making it a critical component for organizations relying on it for customer service operations. The lack of anti-CSRF tokens or insufficient validation of request origins in the affected versions facilitates this attack vector. The vulnerability was published on December 9, 2025, and no patches or mitigations have been officially released at the time of this report. Organizations using SupportCandy should be aware of this risk and prepare to apply vendor patches or implement compensating controls to prevent exploitation.

For European organizations, the impact of CVE-2025-67598 can be significant, especially for those relying on SupportCandy for customer support and ticket management. Successful exploitation could lead to unauthorized modifications of support tickets, potentially disrupting customer service workflows and causing reputational damage. Attackers might manipulate ticket statuses, delete or alter customer requests, or change plugin settings, undermining data integrity and availability. This could result in delayed responses to customer issues, loss of trust, and operational inefficiencies. Additionally, if SupportCandy is integrated with other systems or workflows, the CSRF attack could cascade, affecting broader business processes. Confidentiality impact is limited since the vulnerability does not directly expose data but could be leveraged in multi-stage attacks. The ease of exploitation, requiring only that an authenticated user visits a malicious page, increases the risk profile. European organizations with strict data protection regulations (e.g., GDPR) must consider the compliance implications of unauthorized data manipulation or service disruption. The threat is particularly relevant for sectors with high customer interaction volumes, such as retail, finance, and public services.

To mitigate CVE-2025-67598, organizations should: 1) Monitor PSM Plugins’ official channels for patches and apply updates to SupportCandy promptly once available. 2) Implement web application firewalls (WAFs) with rules designed to detect and block CSRF attack patterns. 3) Enforce strict user session management and limit plugin access to only necessary roles with least privilege principles. 4) Employ anti-CSRF tokens in all forms and state-changing requests within the plugin to ensure requests originate from legitimate users. 5) Educate users about the risks of clicking on untrusted links, especially when logged into administrative portals. 6) Conduct regular security audits and penetration testing focusing on CSRF and other web vulnerabilities in the WordPress environment. 7) Consider isolating SupportCandy functionality to subdomains or segregated environments to reduce attack surface. 8) Review and harden Content Security Policy (CSP) headers to restrict the execution of untrusted scripts that could facilitate CSRF attacks.