PatchSiren cyber security CVE debrief
CVE-2026-57711 PSM Plugins CVE debrief
The SupportCandy plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability affects SupportCandy versions up to and including 3.4.8. An attacker with low privileges can inject malicious scripts, potentially leading to unauthorized actions and data exposure. The vulnerability is rated as MEDIUM with a CVSS score of 6.5. Users of SupportCandy plugin versions up to 3.4.8 should prioritize updating to a patched version. The CVE record was published on 2026-07-13T10:16:38.267Z and has not been modified since then. Further verification of affected deployments and review of official advisories are recommended.
- Vendor
- PSM Plugins
- Product
- SupportCandy
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of SupportCandy plugin versions up to 3.4.8 should prioritize updating to a patched version. This includes administrators and security teams responsible for maintaining WordPress installations with the SupportCandy plugin. Additionally, operators and platform managers who rely on SupportCandy for customer support functionality should be aware of the potential risks and take necessary precautions.
Technical summary
The SupportCandy plugin is vulnerable to Stored Cross-Site Scripting (XSS). An attacker with low privileges can inject malicious scripts, potentially leading to unauthorized actions and data exposure. The vulnerability is rated as MEDIUM with a CVSS score of 6.5. The vulnerability affects SupportCandy versions up to and including 3.4.8.
Defensive priority
Medium priority due to potential for user exploitation and data exposure
Recommended defensive actions
- Update SupportCandy plugin to a version beyond 3.4.8
- Review and limit user privileges to prevent low-privilege users from injecting malicious scripts
- Implement Content Security Policy (CSP) to mitigate XSS attacks
- Monitor plugin and user activity for suspicious behavior
- Review compensating controls for exposed systems while remediation is scheduled and verified
Evidence notes
Evidence is limited; primary official records indicate a Stored XSS vulnerability in SupportCandy plugin versions up to 3.4.8. Further verification is recommended through review of official advisories and CVE records. Defenders should verify affected deployments and assess potential impact on their environments.
Official resources
-
CVE-2026-57711 CVE record
CVE.org
-
CVE-2026-57711 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T10:16:38.267Z and has not been modified since then.