Platform
wordpress
Component
supportcandy
Fixed in
3.4.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in the SupportCandy WordPress plugin. This flaw allows attackers to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or data manipulation. The vulnerability impacts versions from 0.0.0 through 3.4.1, but has been resolved in version 3.4.2.
The CSRF vulnerability in SupportCandy allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could permit an attacker to modify plugin settings, create or delete support tickets, or perform other actions within the plugin's functionality, all under the guise of the victim user. The blast radius depends on the permissions granted to the affected user within the SupportCandy plugin; an administrator account would grant the attacker significant control over the WordPress site's support features. While no direct precedent for SupportCandy exploitation is readily available, CSRF vulnerabilities are frequently exploited in WordPress plugins, often in conjunction with other vulnerabilities to escalate privileges.
CVE-2025-67598 was publicly disclosed on 2025-12-09. There is no indication of this vulnerability being actively exploited at this time. The EPSS score is likely low, given the lack of public exploits and the relatively straightforward nature of CSRF exploitation (requiring social engineering). No KEV listing is currently available.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67598 is to upgrade the SupportCandy plugin to version 3.4.2 or later. If immediate upgrading is not feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help filter out malicious requests. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites. Regularly review WordPress plugin configurations and permissions to minimize potential impact. After upgrade, confirm functionality by testing key SupportCandy features as a standard user and an administrator.
Update to version 3.4.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67598 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–3.4.1 of the SupportCandy WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using SupportCandy plugin versions between 0.0.0 and 3.4.1. Check your plugin version and upgrade if necessary.
Upgrade the SupportCandy plugin to version 3.4.2 or later. Consider implementing a WAF with CSRF protection as an interim measure.
There is currently no indication that CVE-2025-67598 is being actively exploited, but vigilance is always recommended.
Refer to the official SupportCandy plugin website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.