CVE-2025-10658 MEDIUM

CVE-2025-10658: SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.7 - Authentication Bypass to Support Session Takeover

Vendor Psmplugins
Product SupportCandy – Helpdesk & Customer Support Ticket System
Weakness CWE-307 · Brute force
Published September 20, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.

Explanation of Vulnerability in Simple Terms

02Summary

SupportCandy versions up to 3.3.7 contain a weak authentication mechanism that allows attackers to bypass login controls without valid credentials. The vulnerability affects the helpdesk ticket system's authentication layer, enabling unauthorized access to customer support data. Network access is required but no user interaction or special privileges are needed to exploit this flaw.

What an attacker can do

03Attacker Capabilities

Bypass authentication and gain unauthorized access to the helpdesk system without valid credentials.

Potential impact on your site

04Site Impact

Attackers can access customer support tickets, personal information, and helpdesk data without logging in.

Conditions required to exploit

05Prerequisites

Network access to the SupportCandy installation; no authentication or user interaction required.

Key dates

06Disclosure timeline

September 20, 2025 CVE published
April 8, 2026 Record updated