CVE-2025-5957: 
WordPress vulnerability analysis and mitigation

The Guest Support – Complete customer support ticket system for WordPress plugin is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteMassTickets' function in versions up to and including 1.2.2. This vulnerability, tracked as CVE-2025-5957, was discovered on July 8, 2025, and allows unauthenticated attackers to delete arbitrary support tickets (NVD).

The vulnerability stems from a missing authorization check in the 'deleteMassTickets' function within the ajax.php file. Prior to version 1.2.3, the code did not properly verify user capabilities before allowing ticket deletion operations. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-862: Missing Authorization (NVD).

The vulnerability allows unauthorized attackers to delete support tickets from the system, potentially resulting in loss of important customer support data and communications. This could disrupt business operations and lead to loss of customer service history (NVD).

The vulnerability has been fixed in version 1.2.3 of the Guest Support plugin. The update adds proper permission checks requiring users to be either administrators or authorized agents with appropriate delete permissions. Users are strongly advised to update to version 1.2.3 or later (WordPress Plugin).