– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1251:
The SupportCandy WordPress plugin contains an Insecure Direct Object Reference vulnerability in versions up to 3.4.4. This vulnerability affects the file attachment handling mechanism within the ticket reply functionality. Authenticated attackers with subscriber-level permissions can exploit this flaw to steal file attachments from other users’ tickets.

Root Cause:
The vulnerability exists in the `add_reply` function’s handling of the `description_attachments` parameter. Atomic Edge research identified that the plugin fails to validate whether attachment IDs submitted in this parameter belong to the current user. The code processes arbitrary attachment IDs without checking ownership, allowing attackers to reference files uploaded by other users. The vulnerability manifests in the attachment association logic where the plugin reassigns file ownership based on unvalidated user input.

Exploitation:
Attackers exploit this vulnerability by submitting a crafted POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the action parameter set to `wpsc_add_reply`. The malicious payload includes arbitrary attachment IDs in the `description_attachments[]` parameter array. These IDs correspond to files uploaded by other users. When the plugin processes the reply, it associates the specified attachments with the attacker’s ticket, effectively transferring file ownership and removing access from the original uploader.

Patch Analysis:
The patch adds ownership validation before processing attachment IDs. Atomic Edge analysis of the code diff reveals the fix implements checks to verify that each attachment ID in the `description_attachments` parameter belongs to the current user. The validation occurs before any file association operations. The patched version rejects requests containing attachment IDs not owned by the requesting user, preventing unauthorized file access.

Impact:
Successful exploitation allows authenticated attackers with subscriber privileges to steal sensitive file attachments from other users’ support tickets. This can lead to data exposure of confidential documents, personally identifiable information, or proprietary business files uploaded to the helpdesk system. The vulnerability enables horizontal privilege escalation within the file attachment system, bypassing intended access controls.