The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress suffers from an authorization bypass vulnerability classified as CWE-639: Authorization Bypass Through User-Controlled Key. This vulnerability exists in all versions up to and including 3.4.4 within the 'add_reply' function. The root cause is the lack of proper validation on the 'description_attachments' parameter, which accepts user-supplied attachment IDs. Authenticated users with subscriber-level privileges or higher can exploit this flaw to specify arbitrary attachment IDs belonging to other users. By doing so, they can re-associate these attachments to their own support tickets, effectively stealing access to files uploaded by others and simultaneously removing the original owners' access. The vulnerability is an Insecure Direct Object Reference (IDOR) that compromises confidentiality and integrity of user data. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No known public exploits have been reported yet. The vulnerability affects a widely used WordPress plugin designed for customer support ticket management, which is often deployed in organizations relying on WordPress for their helpdesk solutions. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

This vulnerability allows attackers with minimal privileges (subscriber-level) to access and steal sensitive file attachments uploaded by other users, violating confidentiality. By re-associating attachments to their own tickets, attackers can also disrupt the integrity of ticket data and deny access to legitimate users, potentially causing operational disruptions. Organizations relying on SupportCandy for customer support risk exposure of confidential customer information, intellectual property, or personally identifiable information (PII) contained in attachments. This can lead to data breaches, regulatory non-compliance, reputational damage, and loss of customer trust. Since the attack requires authentication but no user interaction, insider threats or compromised accounts can easily exploit this flaw. The vulnerability does not affect availability directly but can indirectly impact service quality and user confidence in the helpdesk system.

Organizations should immediately audit their SupportCandy plugin versions and upgrade to a patched release once available. Until a patch is released, implement strict access controls and monitoring on the WordPress environment, especially limiting subscriber-level user capabilities where possible. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests manipulating the 'description_attachments' parameter. Conduct regular reviews of file attachment permissions and ticket associations to detect unauthorized changes. Consider disabling file attachment features temporarily if feasible. Additionally, enforce strong authentication mechanisms and monitor user activity logs for anomalous behavior indicative of exploitation attempts. Engage with the plugin vendor or community to obtain timely security updates and share threat intelligence. Finally, educate users about the risks of account compromise and enforce least privilege principles.