What the vulnerability does
01Description
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
Explanation of Vulnerability in Simple Terms
02Summary
SupportCandy versions up to 3.3.7 contain a weak authentication mechanism that allows attackers to bypass login controls without valid credentials. The vulnerability affects the helpdesk ticket system's authentication layer, enabling unauthorized access to customer support data. Network access is required but no user interaction or special privileges are needed to exploit this flaw.
What an attacker can do
03Attacker Capabilities
Bypass authentication and gain unauthorized access to the helpdesk system without valid credentials.
Potential impact on your site
04Site Impact
Attackers can access customer support tickets, personal information, and helpdesk data without logging in.
Conditions required to exploit
05Prerequisites
Network access to the SupportCandy installation; no authentication or user interaction required.
Key dates
06Disclosure timeline
September 20, 2025
CVE published
April 8, 2026
Record updated