The SupportCandy Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to an insecure direct object reference, a CWE‑639 flaw. The defect exists in the add_reply function where the description_attachments parameter is not validated against a user‑controlled key. An authenticated user with subscriber-level privileges or higher can supply arbitrary attachment IDs, causing the system to re‑associate those files with the attacker’s tickets and revoke the original owners’ access. This results in unauthorized disclosure or removal of user‑uploaded documents, compromising confidentiality and potentially availability of attachments.

All installations of the SupportCandy WordPress plugin with a version of 3.4.4 or earlier are affected. The vulnerability is present in every supported build of that version range and is not limited to a single configuration or deployment scenario.

The CVSS score of 5.4 classifies the issue as moderate severity, but the EPSS score of less than 1% indicates a low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been leveraged by large‑scale attackers. Exploitation requires authenticated access to the WordPress site with at least subscriber privileges, so the potential impact is confined to users who already have login capabilities. Nonetheless, the ability to steal and reallocate sensitive attachments warrants timely remediation.