Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Awesome Support Plugin for WordPress Leaks Ticket Info
CVE-2026-4654
Summary
Versions of the Awesome Support WordPress plugin up to 6.3.7 have a security flaw that allows attackers to access sensitive information from any support ticket. This could happen even if the attacker doesn't have permission to view all tickets. Update to the latest version of the plugin to fix this issue.
Original title
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get...
Original description
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.
nvd CVSS3.1
5.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
- https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/f...
- https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/f...
- https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functi...
- https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functi...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8ac...
Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026