CVE-2026-0683

Name of the Vulnerable Software and Affected Versions SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress versions up to and including 3.4.4

Description The SupportCandy plugin for WordPress is susceptible to SQL Injection through the Number-type custom field filter. This is caused by inadequate escaping of user-provided values when using the equals operator and insufficient preparation of the SQL query. Authenticated attackers with Subscriber-level access or higher can append additional SQL queries to existing ones, potentially extracting sensitive information from the database.

Recommendations Versions prior to and including 3.4.4 should be updated.