Description
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
Published: 2026-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unauthenticated Role Demotion
Action: Apply Patch
AI Analysis

Impact

The Awesome Support WordPress plugin is vulnerable to an authorization bypass caused by missing capability checks in the wpas_do_mr_activate_user function and a reusable nonce that is shared across public actions. An unauthenticated attacker who can obtain a valid nonce from the publicly available registration or ticket page can send a crafted request to demote an administrator to a low‑privilege role. This weakness falls under CWE‑862 and results in the loss of administrative privileges without requiring any initial authentication, though the target user must already exist and be an administrator.

Affected Systems

Vendors affected include Awesome Support – WordPress HelpDesk & Support Plugin with all releases up to and including version 6.3.6. the vulnerability impacts any WordPress site that has the plugin installed and the public registration or ticket page accessible. only the plugin version determines the presence of the flaw.

Risk and Exploitability

The CVSS base score is 6.5, indicating a moderate severity. The EPSS score is less than 1%, meaning exploitation is unlikely in the general threat landscape. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw with a simple web request: they request the public registration page to capture a nonce, then POST a wpas-do=mr_activate_user action with the target user_id. No privileged access or additional user interaction is required once the nonce is captured.

Generated by OpenCVE AI on April 21, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Awesome Support to version 6.3.7 or later where the authorization checks and nonce handling have been corrected.
  • If an immediate upgrade is not possible, temporarily disable the wpas_do_mr_activate_user action by adding a custom plugin that removes the action hook before the plugin loads.
  • Restrict access to the public registration and ticket pages, or apply role validation to ensure only users with appropriate capabilities can interact with them.

Generated by OpenCVE AI on April 21, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Awesomesupport
Awesomesupport awesome Support Wordpress Helpdesk & Support
Wordpress
Wordpress wordpress
Vendors & Products Awesomesupport
Awesomesupport awesome Support Wordpress Helpdesk & Support
Wordpress
Wordpress wordpress

Fri, 16 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
Title Awesome Support – WordPress HelpDesk & Support Plugin <= 6.3.6 - Missing Authorization to Unauthenticated Role Demotion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Awesomesupport Awesome Support Wordpress Helpdesk & Support
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:18.740Z

Reserved: 2025-11-03T19:25:32.824Z

Link: CVE-2025-12641

cve-icon Vulnrichment

Updated: 2026-01-16T14:02:07.195Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T05:16:04.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses