CVE-2025-67598
WordPress SupportCandy plugin <= 3.4.1 - Cross Site Request Forgery (CSRF) vulnerabilityCross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery.This issue affects SupportCandy: from n/a through <= 3.4.1.
We have discovered 1,152 live websites that are affected by CVE-2025-67598.
Affected Software
| Product |  Supportcandy |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,152 live websites (57% of Supportcandy install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 48 versions ( 92% of all versions) |
Details
- Published - Dec 9, 2025
- Updated - Jan 20, 2026
Credits
- daroo | Patchstack Bug Bounty Program (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2025-67598 United States | 309 websites |
 Germany | 88 websites |
 Italy | 87 websites |
 Iran | 62 websites |
 GB | 61 websites |
 France | 57 websites |
 Brazil | 43 websites |
 India | 32 websites |
 Spain | 31 websites |
 Russia | 25 websites |
Website Distribution by TLD
Number of websites using CVE-2025-67598| .com | 445 websites |
| .it | 70 websites |
| .com.br | 37 websites |
| .org | 36 websites |
| .de | 32 websites |
| .net | 29 websites |
| .co.uk | 26 websites |
| .ru | 22 websites |
| .fr | 21 websites |
| .pl | 20 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-67598
Top websites that are affected by CVE-2025-67598. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.app |  Bulgaria | **,*** | |
| ****************.com | GB | **,*** | |
| ********.pt | United States | **,*** | |
| ***************.com | United States | **,*** | |
| *****.sv |  El Salvador | ***,*** | |
| *************.com | United States | ***,*** | |
| ***********.com | United States | ***,*** | |
| *****************.com | United States | ***,*** | |
| ***********.com | United States | ***,*** | |
| *************.com | GB | ***,*** |
FAQ
A total of 1,152 websites have been identified as vulnerable to CVE-2025-67598, based on global website indexing conducted by WebTechSurvey.
The Supportcandy is affected by the CVE-2025-67598 vulnerability.
Supportcandy versions up to and including 3.4.1 are vulnerable to CVE-2025-67598.