What the vulnerability does
01Description
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.
Explanation of Vulnerability in Simple Terms
02Summary
Awesome Support versions 6.3.7 and earlier contain an authorization flaw that allows unauthenticated attackers to read sensitive information over the network. The vulnerability requires no user interaction and affects the plugin's confidentiality controls. Site administrators should update to a version newer than 6.3.7 to remediate the issue.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the plugin without logging in.
Potential impact on your site
04Site Impact
Sensitive data may be exposed to unauthenticated visitors without your knowledge.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 8, 2026
CVE published
April 8, 2026
Record updated