CVE-2026-4654 Overview
The Awesome Support – WordPress HelpDesk & Support Plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in versions up to and including 6.3.7. The vulnerability exists because the wpas_get_ticket_replies_ajax() function fails to verify whether the authenticated user has permission to view the specific ticket being requested. This security flaw allows authenticated attackers with subscriber-level access or above to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.
Critical Impact
Authenticated users with minimal privileges can access confidential support ticket data belonging to other users, potentially exposing sensitive customer information, internal communications, and private business data across the entire helpdesk system.
Affected Products
- Awesome Support – WordPress HelpDesk & Support Plugin versions up to and including 6.3.7
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-4654 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-4654
Vulnerability Analysis
This Insecure Direct Object Reference vulnerability stems from missing authorization checks in the ticket retrieval functionality. The wpas_get_ticket_replies_ajax() function, located in the functions-post.php file, processes AJAX requests for retrieving ticket replies but does not validate that the requesting user owns or has legitimate access to the ticket specified in the request. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), as the application uses user-supplied input (the ticket_id parameter) to directly access database objects without proper authorization verification.
Root Cause
The root cause is insufficient access control implementation in the ticket reply retrieval function. While the function requires authentication (preventing anonymous access), it fails to implement object-level authorization. The code does not verify the relationship between the authenticated user and the requested ticket, allowing any authenticated user to enumerate and access tickets belonging to other users simply by modifying the ticket identifier in their request.
Attack Vector
An attacker with a valid WordPress account (subscriber-level or higher) can exploit this vulnerability through the network by sending crafted AJAX requests to the vulnerable endpoint. The attack requires no user interaction and can be automated to systematically harvest all support ticket content from the WordPress installation.
The vulnerability is exploited by manipulating the ticket_id parameter in AJAX requests to the wpas_get_ticket_replies_ajax() endpoint. An authenticated attacker can iterate through ticket IDs to access replies from support tickets they do not own. The vulnerable code paths can be examined in the WordPress plugin source code at line 1823 and line 1851. The WordPress Changeset Log shows the modifications made to address this issue.
Detection Methods for CVE-2026-4654
Indicators of Compromise
- Unusual AJAX requests to the Awesome Support ticket reply endpoints from low-privileged user accounts
- Sequential or pattern-based ticket_id parameter values in request logs indicating enumeration attempts
- Abnormal volume of ticket access requests from single user sessions
- Access logs showing users retrieving tickets outside their normal scope or department
Detection Strategies
- Monitor WordPress AJAX request logs for calls to wpas_get_ticket_replies_ajax with varying ticket_id parameters from the same user session
- Implement Web Application Firewall (WAF) rules to detect sequential ID enumeration patterns in request parameters
- Review authentication logs for subscriber-level accounts making excessive ticket retrieval requests
- Enable detailed WordPress audit logging to track ticket access patterns
Monitoring Recommendations
- Configure alerts for anomalous ticket access volumes per user account
- Implement rate limiting on ticket retrieval AJAX endpoints to slow enumeration attempts
- Set up correlation rules to identify users accessing tickets that were not created by them or assigned to them
- Monitor for tools or scripts making automated requests to the vulnerable endpoint
How to Mitigate CVE-2026-4654
Immediate Actions Required
- Update the Awesome Support plugin to the latest patched version immediately
- Review access logs for evidence of exploitation or unauthorized ticket access
- Audit subscriber and contributor level accounts for suspicious activity
- Consider temporarily restricting plugin functionality until the update is applied
Patch Information
The vulnerability has been addressed in versions after 6.3.7. Administrators should update the Awesome Support plugin through the WordPress admin dashboard or by downloading the latest version from the WordPress plugin repository. The fix implements proper authorization checks to verify that the authenticated user has legitimate access to the requested ticket before returning ticket reply data. Review the WordPress Changeset Log for technical details of the patch. Additional vulnerability details are available in the Wordfence Vulnerability Report.
Workarounds
- Implement server-level access controls to restrict the vulnerable AJAX endpoint to administrative users only until a patch can be applied
- Use a Web Application Firewall to block or rate-limit requests to the wpas_get_ticket_replies_ajax action
- Temporarily disable the Awesome Support plugin if ticket functionality is not critical to operations
- Remove or downgrade subscriber-level accounts that are not actively required
# Temporary .htaccess rule to restrict AJAX access (Apache)
# Add to WordPress root .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=wpas_get_ticket_replies_ajax [NC]
RewriteCond %{REQUEST_METHOD} POST
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
