CVE-2025-12641

Name of the Vulnerable Software and Affected Versions Awesome Support - WordPress HelpDesk & Support Plugin versions prior to 6.3.7

Description The Awesome Support plugin for WordPress is affected by an authorization bypass. This is due to insufficient capability checks within the wpas do mr activate user function, which does not properly verify user permissions when modifying roles. A nonce reuse issue exists where nonces intended for public registration are also valid for privileged actions because all actions share the same nonce namespace. An unauthenticated attacker can exploit this by submitting a request to the 'wpas-do=mr activate user' action with a user-controlled user id parameter, provided they have access to a valid nonce from the public registration or submit ticket page. This allows them to demote administrators to lower-privilege roles.

Recommendations Update to version 6.3.7 or later.