CVE-2026-0683 identifies a SQL Injection vulnerability in the SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress, present in all versions up to and including 3.4.4. The vulnerability is due to improper neutralization of special elements in SQL commands (CWE-89), specifically within the Number-type custom field filter. The plugin fails to adequately escape user-supplied input when using the equals operator and does not employ prepared statements for the SQL queries involved. This allows authenticated users with Subscriber-level access or higher to append arbitrary SQL code to existing queries. As a result, attackers can extract sensitive information from the backend database without requiring administrative privileges or user interaction beyond login. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and privileges at the level of a subscriber (PR:L). The impact is primarily on confidentiality (C:H), with no direct effect on integrity or availability. No known public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's role in managing customer support data. The lack of patches at the time of reporting necessitates immediate attention from administrators to mitigate potential exploitation.

The primary impact of CVE-2026-0683 is unauthorized disclosure of sensitive data stored within the SupportCandy plugin's database, which may include customer support tickets, personal information, and internal notes. This can lead to privacy violations, regulatory non-compliance, and reputational damage for affected organizations. Since the vulnerability allows data extraction by users with minimal privileges, insider threats or compromised subscriber accounts could be leveraged to escalate data breaches. The attack does not affect data integrity or availability directly but compromises confidentiality significantly. Organizations relying on SupportCandy for customer support risk exposure of sensitive customer data, which could be exploited for further attacks such as phishing or social engineering. The medium CVSS score reflects the balance between the ease of exploitation and the scope of impact, but the potential for sensitive data leakage makes this a critical concern for data protection and compliance frameworks globally.

Organizations should immediately audit their WordPress installations to identify the presence of the SupportCandy plugin and its version. Until an official patch is released, administrators should restrict Subscriber-level user capabilities to the minimum necessary and monitor for unusual database queries or access patterns. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection attempts targeting the Number-type custom field filter can provide temporary protection. Additionally, applying database-level access controls to limit the exposure of sensitive tables and employing database activity monitoring can help detect exploitation attempts. Developers and administrators should advocate for or contribute to the release of a patched plugin version that employs prepared statements and proper input validation. Regular backups and incident response plans should be updated to address potential data breaches stemming from this vulnerability. Finally, educating users about the risks of credential compromise and enforcing strong authentication mechanisms can reduce the likelihood of exploitation.