An IDOR vulnerability in the SupportCandy plugin allows authenticated subscribers to access sensitive data they are not authorized to view.

This vulnerability is an Insecure Direct Object Reference (IDOR) flaw affecting the subscriber role. Authenticated users can manipulate object references to access support tickets or data belonging to other users, bypassing standard permission checks.

With a CVSS score of 7.6, this flaw presents a substantial risk to data privacy. Unauthorized access to support tickets could lead to the exposure of customer personal information (PII) and internal communications, resulting in reputational damage and potential regulatory compliance violations.

Immediate Action: Update the SupportCandy plugin to the latest version provided by PSM to ensure proper authorization controls are enforced.

Proactive Monitoring: Review database access logs for unusual patterns of ticket retrieval that deviate from typical user behavior.

Compensating Controls: Utilize a Web Application Firewall (WAF) to block requests that attempt to access sensitive object IDs, if an immediate update is not feasible.

Public Exploit Available: false

Administrators using SupportCandy must prioritize this update to prevent unauthorized access to sensitive support data. Ensure that all plugin updates are tested in a staging environment before deployment to production systems.