CVE-2026-1251 Overview
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 3.4.4. The flaw exists in the add_reply function due to missing validation on a user-controlled key. This vulnerability allows authenticated attackers with subscriber-level access or above to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the description_attachments parameter, effectively re-associating those files to their own tickets and removing access from the original owners.
Critical Impact
Authenticated users can steal sensitive file attachments from other users' support tickets, potentially exposing confidential business documents, personal information, or proprietary data shared through the helpdesk system.
Affected Products
- SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress versions up to and including 3.4.4
Discovery Timeline
- 2026-01-31 - CVE CVE-2026-1251 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-1251
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a type of Insecure Direct Object Reference flaw. The core issue lies within the add_reply function in the SupportCandy plugin, which fails to properly validate whether the authenticated user has legitimate ownership or access rights to the attachment IDs being referenced.
When a user submits a reply to a support ticket, they can manipulate the description_attachments parameter to include attachment IDs that belong to other users' tickets. Because the function does not verify that the requesting user owns or has permission to access these attachments, the system blindly re-associates the specified files with the attacker's ticket. This not only grants unauthorized access to the files but also removes access from the legitimate owners.
The attack requires only subscriber-level authentication, which is the most basic authenticated role in WordPress. This low privilege requirement significantly increases the attack surface, as many WordPress sites allow public user registration with subscriber access by default.
Root Cause
The root cause is the absence of proper authorization checks in the add_reply function within the class-wpsc-individual-ticket.php file. The function accepts attachment IDs through the description_attachments parameter without verifying that the requesting user has legitimate access to those attachments. The vulnerable code path can be examined in the WordPress Ticket Class Code.
Attack Vector
The attack is network-based and can be executed by any authenticated user with at least subscriber-level privileges. The attacker needs to:
- Authenticate to the WordPress site with a subscriber or higher-level account
- Create or access an existing support ticket
- Submit a reply containing manipulated description_attachments parameter values with attachment IDs belonging to other users' tickets
- The system re-associates the targeted attachments to the attacker's ticket, granting unauthorized access
The exploitation requires no user interaction from the victim and can be performed with low attack complexity. The attacker can enumerate attachment IDs or target specific known IDs to access sensitive documents uploaded by other users in their support requests.
Detection Methods for CVE-2026-1251
Indicators of Compromise
- Unusual patterns of ticket replies containing attachment IDs that were not originally uploaded to that ticket
- Log entries showing multiple attachment associations being modified in rapid succession
- Support tickets with attachments that users report they did not upload
Detection Strategies
- Monitor WordPress and plugin logs for unusual activity in the add_reply function
- Implement audit logging for attachment ownership changes on support tickets
- Review access logs for authenticated users making repeated POST requests with varying attachment IDs
Monitoring Recommendations
- Enable detailed logging for the SupportCandy plugin to track attachment operations
- Set up alerts for bulk attachment re-association events
- Periodically audit ticket attachments to verify ownership integrity
How to Mitigate CVE-2026-1251
Immediate Actions Required
- Update the SupportCandy plugin to a version newer than 3.4.4 immediately
- Review existing tickets for signs of unauthorized attachment access
- Audit user accounts with subscriber-level access for suspicious activity
- Consider temporarily restricting attachment functionality until the patch is applied
Patch Information
The vulnerability has been addressed in the plugin update. The fix is available in WordPress Changeset #3448376. Administrators should update to the latest version of the SupportCandy plugin through the WordPress admin dashboard or by downloading directly from the WordPress plugin repository. Additional details are available in the Wordfence Vulnerability Details.
Workarounds
- Restrict user registration to prevent unauthorized users from obtaining subscriber accounts
- Implement additional access controls at the server level to validate attachment ownership
- Consider disabling file attachment functionality in SupportCandy until the update can be applied
- Review and limit the permissions granted to subscriber-level users on the WordPress site
# Verify current SupportCandy plugin version
wp plugin list --name=supportcandy --fields=name,version,update_version
# Update SupportCandy plugin to latest version
wp plugin update supportcandy
# Verify update was successful
wp plugin list --name=supportcandy --fields=name,version,status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
