Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total5
Critical0
High1
Medium4
Reset
Showing 1-5 of 5 records
Threat Entry Updated 2026-04-15

CVE-2026-1251 - Customer Support Ticket System Plugin

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners.

PLUGIN Customer Support Ticket System

CVE-2026-1251

MEDIUM CVSS 5.4 2026-01-31
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0683 - Customer Support Ticket System Plugin

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Customer Support Ticket System

CVE-2026-0683

MEDIUM CVSS 6.5 2026-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-10658 - Customer Support Ticket System Plugin

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.

PLUGIN Customer Support Ticket System

CVE-2025-10658

MEDIUM CVSS 6.5 2025-09-20
Open Full Technical Breakdown
Threat Entry Updated 2025-03-07

CVE-2024-13552 - Customer Support Ticket System Plugin

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlled key. This makes it possible for authenticated attackers to download attachments for support tickets that don't belong to them. If an admin enables tickets for guests, this can be exploited by unauthenticated attackers.

PLUGIN Customer Support Ticket System

CVE-2024-13552

MEDIUM CVSS 4.3 2025-03-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-26

CVE-2024-13568 - Customer Support Ticket System Plugin

The Fluent Support – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the 'fluent-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/fluent-support directory which can contain file attachments included in support tickets.

PLUGIN Customer Support Ticket System

CVE-2024-13568

HIGH CVSS 7.5 2025-03-01
Open Full Technical Breakdown
Scroll to top