vulnerability
WordPress Plugin: supportcandy: CVE-2026-0683: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:C/I:N/A:N) | Jan 30, 2026 | Feb 2, 2026 | Feb 2, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:C/I:N/A:N)
Published
Jan 30, 2026
Added
Feb 2, 2026
Modified
Feb 2, 2026
Description
The SupportCandy – Helpdesk and Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Solution
supportcandy-plugin-cve-2026-0683
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.