Description
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
Published: 2025-09-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from missing rate limiting on the OTP verification used by the SupportCandy Helpdesk & Customer Support Ticket System plugin in WordPress. An unauthenticated attacker can brute force the 6‑digit OTP code and bypass authentication, gaining unauthorized access to customer support tickets. This allows access to potentially sensitive support requests and customer data, violating confidentiality and integrity protections. The weakness is classified as CWE‑307 (Improper Restriction of Excessive Authentication Attempts).

Affected Systems

All installations of the SupportCandy plugin for WordPress with versions up to and including 3.3.7 are affected. No other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 places the flaw in the medium severity range, and the EPSS score of less than 1% suggests a low current exploitation probability. The plugin is not listed in the CISA KEV catalog. The exploitation path is straightforward: an attacker can submit OTP attempts without prior authentication, so the attack requires only knowledge of the OTP endpoint and the length of the code. Because the code is only six digits and rate limiting is absent, brute force is feasible with automated tools, though the low EPSS indicates that active exploitation is currently uncommon.

Generated by OpenCVE AI on April 27, 2026 at 23:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or update for the SupportCandy plugin.
  • Enable and enforce rate limiting on the OTP verification endpoint to restrict the number of attempts per IP or user.
  • Restrict access to the OTP verification endpoint to authenticated, logged‑in users only by configuring appropriate access controls.
  • Monitor server logs for repeated failed OTP attempts and configure automated blocking or alerting for suspicious activity.

Generated by OpenCVE AI on April 27, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30308 The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
History

Mon, 22 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Supportcandy
Supportcandy supportcandy
Wordpress
Wordpress wordpress
Vendors & Products Supportcandy
Supportcandy supportcandy
Wordpress
Wordpress wordpress

Sat, 20 Sep 2025 07:00:00 +0000

Type Values Removed Values Added
Description The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
Title SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.7 - Authentication Bypass to Support Session Takeover
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Supportcandy Supportcandy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:37.459Z

Reserved: 2025-09-17T21:59:39.750Z

Link: CVE-2025-10658

cve-icon Vulnrichment

Updated: 2025-09-22T15:01:43.460Z

cve-icon NVD

Status : Deferred

Published: 2025-09-20T07:15:35.607

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T00:00:18Z

Weaknesses