CVE-2026-1251

Name of the Vulnerable Software and Affected Versions SupportCandy – Helpdesk & Customer Support Ticket System versions prior to 3.4.5

Description The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress has an Insecure Direct Object Reference issue in versions up to and including 3.4.4. This is due to a lack of validation on a user-controlled key within the add reply function. Authenticated attackers with subscriber-level access or higher can exploit this to steal file attachments uploaded by other users. This is achieved by specifying arbitrary attachment IDs in the description attachments parameter, allowing them to re-associate files with their own tickets and remove access from the original owners. The API endpoint involved is not explicitly mentioned. The vulnerable parameter is description attachments.

Recommendations Update SupportCandy – Helpdesk & Customer Support Ticket System to version 3.4.5 or later.