This vulnerability in SupportCandy (PSM Plugins) is classified as CWE-639: Authorization Bypass Through User-Controlled Key. It allows an attacker with low privileges to bypass authorization controls by manipulating keys that reference subscriber objects, potentially exposing sensitive subscriber information. The CVSS 3.1 vector indicates the attack can be performed remotely over the network with low attack complexity and no user interaction, impacting confidentiality (high), integrity (low), and availability (low). The vulnerability affects SupportCandy versions up to 3.4.6, but exact affected versions are not explicitly confirmed. No vendor advisory or patch information is currently available.

Successful exploitation could lead to unauthorized disclosure of subscriber data, compromising confidentiality. The integrity and availability impacts are lower but present. This could affect user privacy and trust in the affected system. There is no evidence of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to SupportCandy interfaces to trusted users only and monitor for unusual access patterns related to subscriber data. Avoid exposing user-controlled keys in URLs or API parameters if possible.