Attack Vectors

SupportCandy – Helpdesk & Customer Support Ticket System (WordPress plugin slug: supportcandy) has a Medium severity vulnerability (CVSS 6.5) identified as CVE-2026-0683 that can be exploited by authenticated users with Subscriber-level access or higher.

The reported attack path involves the plugin’s Number-type custom field filter when the equals operator is used. In practical business terms, this means an attacker who can log in as a low-privilege user (including customer-type accounts, depending on your site setup) may be able to manipulate how the site queries its database through the filtering interface.

Security Weakness

The core issue is an SQL Injection weakness caused by insufficient escaping of a user-supplied operand value and insufficient preparation of the existing SQL query. This combination can allow a logged-in attacker to append additional SQL to an otherwise legitimate database query.

Because this flaw is present in SupportCandy versions up to and including 3.4.4, organizations running those versions may have exposure until they apply the vendor’s fix. The recommended remediation is to update to SupportCandy 3.4.5 or a newer patched version.

Technical or Business Impacts

The primary risk described for CVE-2026-0683 is exposure of sensitive information from the WordPress database. For business owners, this can translate into the loss of customer data, helpdesk records, contact details, internal notes, or other stored information—depending on what your WordPress database contains.

Even with a Medium severity rating, the business impact can be significant because the vulnerability has a high confidentiality impact in its CVSS profile. Potential outcomes include compliance concerns (privacy obligations and audit findings), reputational damage (loss of customer trust if ticket data is accessed), and operational distraction (incident response time, communications, and recovery activities).

From a governance standpoint, the key risk driver is that exploitation requires only low privileges (Subscriber+)—so organizations that allow user registration, customer portals, or any login-based support workflow should treat patching as a priority.

Similar Attacks

SQL injection has been repeatedly used to extract sensitive data from web application databases across many platforms and industries. Real-world examples include:

U.S. Department of Justice: Latvian man extradited for hacking conspiracy involving SQL injection attacks

Cloudflare overview: SQL injection as a common data-exfiltration technique

For official reference on this specific issue: CVE-2026-0683 record and the published advisory source Wordfence vulnerability entry.