CVE-2026-1251 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the SupportCandy Helpdesk & Customer Support Ticket System plugin for WordPress, versions up to and including 3.4.4. The vulnerability arises from insufficient validation of user-controlled input in the 'add_reply' function, specifically the 'description_attachments' parameter. Authenticated users with subscriber-level privileges or higher can exploit this flaw by specifying arbitrary attachment IDs, which allows them to re-associate file attachments originally uploaded by other users to their own support tickets. This effectively steals access to those files and removes the original owners' access rights. The attack vector is remote network-based (AV:N), requires low attack complexity (AC:L), and only requires privileges equivalent to subscriber level (PR:L), with no user interaction (UI:N). The vulnerability impacts confidentiality and integrity by enabling unauthorized access and modification of file associations but does not affect availability. No patches were linked at the time of publication, and no active exploits have been reported. The vulnerability is significant in environments where sensitive or confidential attachments are handled through the SupportCandy plugin, potentially exposing private customer data or internal documents.

For European organizations, this vulnerability poses a risk of unauthorized disclosure and modification of sensitive attachments managed within the SupportCandy plugin on WordPress sites. Organizations relying on this plugin for customer support and ticket management may face data confidentiality breaches, potentially violating GDPR requirements concerning personal data protection. The ability for low-privilege users to access and reassign files could lead to insider threats or exploitation by compromised accounts. This could damage organizational reputation, lead to regulatory fines, and disrupt customer trust. Since the vulnerability does not affect availability, service disruption is less likely, but the integrity and confidentiality impacts are significant, especially for sectors handling sensitive customer information such as finance, healthcare, and public services. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

European organizations should implement the following specific mitigations: 1) Immediately audit user roles and restrict subscriber-level permissions to the minimum necessary, limiting access to the SupportCandy plugin features. 2) Monitor and log attachment access and modifications within the plugin to detect suspicious re-association activities. 3) Apply vendor patches or updates as soon as they become available; if no patch exists, consider temporarily disabling the plugin or restricting its use to trusted users only. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous requests targeting the 'description_attachments' parameter. 5) Conduct regular security assessments of WordPress plugins, focusing on access control and input validation. 6) Educate support staff and users about the risks of unauthorized access and encourage strong authentication practices to reduce account compromise likelihood.