CVE-2025-67926

The Fluent Support plugin for WordPress, versions up to and including 1.10.4, is vulnerable to a Missing Authorization issue [1]. This vulnerability allows exploitation of incorrectly configured access control security levels, meaning that certain functions do not properly verify user permissions before granting access.

Attackers can exploit this by sending crafted HTTP requests to the plugin's endpoints, potentially without requiring authentication or with minimal privileges. The attack surface includes AJAX actions and REST API routes that fail to enforce authorization checks, enabling low-privilege users to perform actions intended for administrators or support managers.

Successful exploitation can lead to unauthorized access to support tickets, customer data, and plugin settings. An attacker could modify or delete tickets, view sensitive information, or escalate privileges within the WordPress environment, potentially compromising the entire site.

The vendor has released version 1.10.5, which fixes the vulnerability. Users are strongly recommended to update immediately. For those unable to upgrade, Patchstack provides a virtual patch to mitigate attacks until the update can be applied [1].