Theklis Stefani

**Name of the Vulnerable Software and Affected Versions** SupportCandy – Helpdesk & Customer Support Ticket System versions prior to 3.4.5 **Description** The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress has an Insecure Direct Object Reference issue in versions up to and including 3.4.4. This is due to a lack of validation on a user-controlled key within the `add reply` function. Authenticated attackers with subscriber-level access or higher can exploit this to steal file attachments uploaded by other users. This is achieved by specifying arbitrary attachment IDs in the `description attachments` parameter, allowing them to re-associate files with their own tickets and remove access from the original owners. The API endpoint involved is not explicitly mentioned. The vulnerable parameter is `description attachments`. **Recommendations** Update SupportCandy – Helpdesk & Customer Support Ticket System to version 3.4.5 or later.