CVE-2026-4654 - Vulnerability Details

- Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter

Description

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.

Published: 2026-04-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Awesome Support plugin contains an insecure direct object reference that allows an authenticated WordPress user with subscriber role or higher to bypass authorization checks when requesting ticket replies via the wpas_get_ticket_replies_ajax() function. By manipulating the ticket_id parameter, the attacker can view reply content from any support ticket, thereby compromising the confidentiality of ticket information within the system. This flaw corresponds to CWE-639, which describes an authorization bypass enabling unauthorized data access.

Affected Systems

WordPress sites running the Awesome Support – WordPress HelpDesk & Support Plugin, version 6.3.7 or earlier, are affected. Any installation that grants subscriber or higher privileges to users is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate risk level. The vulnerability requires the attacker to be authenticated, limiting the attack surface to users with subscriber-level access. No publicly disclosed exploit code exists, and the issue is not listed in the CISA KEV catalog, suggesting that exploitation is unlikely but remains a concern for sites with many authenticated users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

awesomesupport

Awesome Support – WordPress HelpDesk & Support Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.3.7

No data.

Vendor Product Confidence Versions

Awesomesupport

Awesome Support Wordpress Helpdesk & Support

93%

Version	Status	Scheme	Platform
`[0,6.3.7]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify the installed version of the Awesome Support plugin and confirm it is newer than 6.3.7.
Upgrade the plugin to the latest release to remove the insecure direct object reference.
After the upgrade, test ticket reply access to ensure that subscribers can no longer view tickets they should not have permission to see.

Generated by OpenCVE AI on April 8, 2026 at 10:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1823
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1851
https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1823
https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1851
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3497662%40awesome-support&new=3497662%40awesome-support&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8acd-02b715e26f33?source=cve

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Awesomesupport Awesomesupport awesome Support Wordpress Helpdesk & Support Wordpress Wordpress wordpress
Vendors & Products		Awesomesupport Awesomesupport awesome Support Wordpress Helpdesk & Support Wordpress Wordpress wordpress

Wed, 08 Apr 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.
Title		Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1823 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1851 https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1823 https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1851 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3497662%40awesome-support&new=3497662%40awesome-support&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8acd-02b715e26f33?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Awesomesupport Awesome Support Wordpress Helpdesk & Support

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-08T07:43:02.627Z

Updated: 2026-04-08T18:50:47.666Z

Reserved: 2026-03-23T15:00:10.423Z

Link: CVE-2026-4654

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-04-08T08:16:24.237

Modified: 2026-04-24T18:15:28.940

Link: CVE-2026-4654

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:22:19Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object