CVE-2026-0683 is an SQL Injection vulnerability classified under CWE-89, affecting the SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress in all versions up to and including 3.4.4. The vulnerability stems from insufficient escaping of user-supplied input in the Number-type custom field filter when using the equals operator, combined with a lack of prepared statements in the SQL query construction. This flaw allows authenticated attackers with Subscriber-level privileges or higher to append arbitrary SQL commands to existing queries. Because the plugin is used in customer support ticket systems, the injected SQL can be leveraged to extract sensitive information from the backend database, such as user data, tickets, or configuration details. The vulnerability does not require user interaction and can be exploited remotely over the network, with a low attack complexity. The CVSS v3.1 base score is 6.5, reflecting a medium severity primarily due to the requirement for authenticated access, but with high confidentiality impact and no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin’s widespread use in WordPress environments makes this a relevant threat vector, especially for organizations relying on SupportCandy for customer support operations.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive customer and internal data stored within the SupportCandy plugin’s database tables. This breach of confidentiality could result in privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial penalties. Since the vulnerability requires only Subscriber-level authentication, attackers could leverage compromised or weak user credentials to gain access and exploit the flaw. The impact is particularly critical for organizations handling sensitive customer support information or personal data. Additionally, the exposure of internal ticketing data could facilitate further targeted attacks or social engineering campaigns. The lack of impact on integrity and availability limits the scope to data leakage, but the confidentiality breach alone is significant. European entities with high WordPress usage and reliance on this plugin are at increased risk, especially in sectors like finance, healthcare, and government, where data sensitivity is paramount.

1. Monitor for and apply official patches or updates from the plugin vendor as soon as they are released. 2. Until patches are available, restrict access to the SupportCandy plugin’s administrative and user interfaces to trusted users only, minimizing the number of accounts with Subscriber-level or higher privileges. 3. Implement Web Application Firewalls (WAFs) with SQL Injection detection and prevention rules tailored to recognize malicious payloads targeting the Number-type custom field filter. 4. Conduct regular audits of user accounts and permissions to ensure no unnecessary accounts have elevated privileges. 5. Employ database activity monitoring to detect unusual query patterns indicative of SQL injection attempts. 6. Consider disabling or limiting the use of custom field filters in SupportCandy if not essential. 7. Educate users about credential hygiene to prevent account compromise. 8. Review and enhance logging and alerting mechanisms to quickly identify exploitation attempts. 9. If feasible, isolate the WordPress environment hosting SupportCandy to reduce lateral movement risk in case of compromise.