Attack Vectors

SupportCandy – Helpdesk & Customer Support Ticket System (WordPress plugin slug: supportcandy) is affected by a Medium severity issue (CVSS 5.4) in versions up to and including 3.4.4. The vulnerability (CVE-2026-1251) can be exploited by an authenticated user with subscriber-level access or higher.

The attack path involves the plugin’s add_reply functionality, where an attacker can supply an arbitrary attachment identifier through the description_attachments parameter. In practical terms, this means a low-privilege logged-in account could attempt to target file attachments uploaded by other users and associate them with the attacker’s own support tickets.

Security Weakness

This issue is an Insecure Direct Object Reference (IDOR), caused by missing validation on a user-controlled key within the add_reply flow. When access checks are insufficient, an authenticated user may be able to reference objects (in this case, attachment IDs) that they should not be permitted to access.

According to the published vulnerability details, this weakness can allow an attacker to re-associate attachments to their own tickets, which can also result in removing access from the original owners. For organizations, this represents a breakdown in the expected separation between customer records and internal workflows.

Technical or Business Impacts

The most direct impact is potential data exposure: attackers may be able to steal file attachments uploaded by other users. For marketing, executive leadership, and compliance teams, the key risk is that attachments commonly include sensitive content such as contracts, invoices, screenshots, customer identifiers, product roadmaps, or regulated personal information.

There is also a business process risk: if attachments can be re-associated and access removed from the original owners, support operations may experience case disruption, slower resolution times, and avoidable customer friction. This can drive reputational damage and increased cost-to-serve—especially if customers perceive that support portals are not handling their files safely.

Remediation: Update SupportCandy – Helpdesk & Customer Support Ticket System to version 3.4.5 or newer, which is the recommended patched release for this issue.

Similar Attacks

IDOR-style weaknesses are a common cause of real-world data exposure because they let one user access another user’s records by manipulating identifiers. Examples include:

OWASP: Insecure Direct Object Reference (IDOR) — a widely cited class of access control failure that has repeatedly led to unauthorized access to files and records.

PortSwigger Web Security Academy: IDOR — practical examples of how object reference flaws enable cross-user data access when authorization checks are missing or incomplete.