{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4654", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-23T15:00:10.423Z", "datePublished": "2026-04-08T07:43:02.627Z", "dateUpdated": "2026-04-08T18:50:47.666Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:01.277Z"}, "affected": [{"vendor": "awesomesupport", "product": "Awesome Support \u2013 WordPress HelpDesk & Support Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.3.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Awesome Support \u2013 WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter."}], "title": "Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8acd-02b715e26f33?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1851"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1851"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1823"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1823"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3497662%40awesome-support&new=3497662%40awesome-support&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Iden"}], "timeline": [{"time": "2026-03-23T15:15:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:50:01.418065Z", "id": "CVE-2026-4654", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:50:47.666Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Awesome Support \u2013 WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter."}], "id": "CVE-2026-4654", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T08:16:24.237", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1823"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1851"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1823"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1851"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3497662%40awesome-support&new=3497662%40awesome-support&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8acd-02b715e26f33?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.3.7]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Awesome Support \u2013 WordPress HelpDesk & Support Plugin", "source": "cna", "vendor": "awesomesupport"}, "product": "awesome_support_wordpress_helpdesk_&_support", "vendor": "awesomesupport"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:39:02.988187+00:00", "value": {"mitigation_remediation": ["Verify the installed version of the Awesome Support plugin and confirm it is newer than 6.3.7.", "Upgrade the plugin to the latest release to remove the insecure direct object reference.", "After the upgrade, test ticket reply access to ensure that subscribers can no longer view tickets they should not have permission to see."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Awesome Support \u2013 WordPress HelpDesk & Support Plugin, version 6.3.7 or earlier, are affected. Any installation that grants subscriber or higher privileges to users is potentially vulnerable.", "description_and_impact": "The Awesome Support plugin contains an insecure direct object reference that allows an authenticated WordPress user with subscriber role or higher to bypass authorization checks when requesting ticket replies via the wpas_get_ticket_replies_ajax() function. By manipulating the ticket_id parameter, the attacker can view reply content from any support ticket, thereby compromising the confidentiality of ticket information within the system. This flaw corresponds to CWE-639, which describes an authorization bypass enabling unauthorized data access.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a moderate risk level. The vulnerability requires the attacker to be authenticated, limiting the attack surface to users with subscriber-level access. No publicly disclosed exploit code exists, and the issue is not listed in the CISA KEV catalog, suggesting that exploitation is unlikely but remains a concern for sites with many authenticated users."}}}}, "created": "2026-04-08T19:43:28.143526+00:00", "updated": "2026-04-09T08:22:19.806104+00:00", "vendors": ["awesomesupport", "awesomesupport$PRODUCT$awesome_support_wordpress_helpdesk_&_support", "wordpress", "wordpress$PRODUCT$wordpress"]}