CVE-2025-10658 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3…
Medium CVSS: 6.5

CVE-2025-10658

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
Vendor
-
Product
-
CWE
CWE-307
Yayın Tarihi
2025-09-20 07:15:35
Güncelleme
2025-09-22 21:23:01
Source Identifier
security@wordfence.com
KEV Date Added
-

Kategoriler

CWE-307 MEDIUM 2025

Referanslar

https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.3.7/includes/class-wpsc-current-user.php#L820 https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.3.7/includes/models/class-wpsc-email-otp.php#L348 https://plugins.trac.wordpress.org/changeset/3364335/ https://www.wordfence.com/threat-intel/vulnerabilities/id/2b11670a-f6e4-4555-ab76-4223f0194517?source=cve