CVE-2025-67598

Vulnerability

Type A Cross-Site Request Forgery (CSRF) vulnerability exists in the SupportCandy plugin for WordPress, affecting versions from n/a through 3.4.1. The flaw arises from insufficient CSRF protections, enabling an attacker to trick authenticated users into performing unintended actions without their consent [1].

Exploitation

Prerequisites Exploitation requires user interaction — a privileged user must click a malicious link, visit a crafted page, or submit a deceptive form while authenticated. No authentication is needed for the attacker, but they rely on the victim's active session. The attack can be initiated by any role, though a higher-privileged user is targeted to maximize impact [1].

Impact

A successful CSRF attack could force a privileged user to execute unwanted actions under their current authentication, such as modifying plugin settings, creating new admin accounts, or performing other state-changing operations. This could lead to partial compromise of the WordPress site's functionality or security [1].

Mitigation

Users must update the SupportCandy plugin to version 3.4.2 or later, which resolves the issue. The vulnerability is rated as low severity with a CVSS v3 score of 4.3 and is unlikely to be widely exploited in mass campaigns. Patchstack users can enable auto-update for vulnerable plugins as an additional safeguard [1].