CVE-2024-13552: 
WordPress vulnerability analysis and mitigation

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CVE-2024-13552) affecting all versions up to and including 3.3.0. The vulnerability was discovered and reported by Tim Coen, with public disclosure on March 7, 2025 (NVD).

The vulnerability stems from missing validation on a user-controlled key in the file upload functionality. This security flaw has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The weakness has been classified as CWE-285 (Improper Authorization) (NVD, Wordfence).

The vulnerability allows authenticated attackers to download attachments from support tickets that don't belong to them, potentially exposing sensitive information. If an administrator has enabled tickets for guests, the vulnerability becomes more severe as it can be exploited by unauthenticated attackers (NVD).

Users should update their SupportCandy plugin to a version newer than 3.3.0 when available. Until then, administrators should consider disabling guest ticket submissions to reduce the attack surface (NVD).