CVE-2026-4654

Name of the Vulnerable Software and Affected Versions The Awesome Support – WordPress HelpDesk & Support Plugin versions up to and including 6.3.7

Description The Awesome Support – WordPress HelpDesk & Support Plugin is susceptible to an Insecure Direct Object Reference issue. The wpas get ticket replies ajax() function does not properly validate user permissions when accessing support tickets. This allows authenticated attackers with subscriber-level access or higher to access sensitive information from all support tickets by manipulating the ticket id parameter.

Recommendations For versions up to and including 6.3.7, ensure the wpas get ticket replies ajax() function properly verifies user permissions before granting access to support ticket data.