CVE-2026-4654 MEDIUM

CVE-2026-4654: Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter

Vendor Awesomesupport
Product Awesome Support – WordPress HelpDesk & Support Plugin
Weakness CWE-639 · IDOR
Published April 8, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.

Explanation of Vulnerability in Simple Terms

02Summary

Awesome Support versions 6.3.7 and earlier contain an authorization flaw that allows unauthenticated attackers to read sensitive information over the network. The vulnerability requires no user interaction and affects the plugin's confidentiality controls. Site administrators should update to a version newer than 6.3.7 to remediate the issue.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the plugin without logging in.

Potential impact on your site

04Site Impact

Sensitive data may be exposed to unauthenticated visitors without your knowledge.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 8, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE