CVE-2026-54826 PSM Plugins CVE debrief

Who should care

Administrators and users of SupportCandy plugin versions <= 3.4.6 should prioritize patching this vulnerability. The HIGH severity and CVSS score of 7.6 indicate significant risk. Security teams and WordPress administrators should review and update affected installations.

Technical summary

CVE-2026-54826 is a Subscriber Insecure Direct Object References (IDOR) vulnerability in SupportCandy plugin versions <= 3.4.6. The vulnerability allows unauthorized access to sensitive data. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. The CWE-639 weakness is associated with this vulnerability.

Defensive priority

Patching SupportCandy plugin versions <= 3.4.6 is crucial due to the HIGH severity and CVSS score of 7.6. Security teams should prioritize updating affected installations.

Recommended defensive actions

• Patch SupportCandy plugin to version > 3.4.6
• Review and update affected installations
• Monitor for suspicious activity related to SupportCandy plugin

Evidence notes

The CVE record and NVD detail pages provide official information. A mitigation reference from Patchstack is available. The vulnerability was published on 2026-06-26T15:16:40.350Z and last modified on 2026-06-29T18:16:37.700Z.

Official resources