Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.
Published: 2025-11-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data exposure of support ticket contents
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System allows authenticated users with Subscriber level or higher access to read all support tickets. This is caused by an insecure direct object reference in the 'eh_crm_ticket_single_view_client' function, where a user‑controlled key is not validated. The result is a confidentiality compromise: attackers can view ticket contents that should be restricted to higher‑privileged roles.

Affected Systems

The affected product is ELEX WordPress HelpDesk & Customer Ticketing System for WordPress, versions up to and including 3.2.9. The plugin is available as a free installation from the WordPress plugin repository and is identified in the cpe entry cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate risk, and the EPSS score is less than 1%, suggesting a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need authenticated access at the Subscriber level to exploit this IDOR and read ticket data. They would provide a client‑specific key in the request, and the plugin would return the corresponding ticket’s content without proper permission checks.

Generated by OpenCVE AI on April 21, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.0 or later, which resolves the IDOR issue
  • If upgrading immediately is not feasible, deny Subscriber and lower roles from accessing the 'eh_crm_ticket_single_view_client' endpoint by adding a role‑based access check or a custom plugin that blocks the request
  • Review and adjust user roles and capabilities to ensure only authorized personnel have Subscriber or higher access to the support ticket system

Generated by OpenCVE AI on April 21, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Elula
Elula wsdesk
CPEs cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*
Vendors & Products Elula
Elula wsdesk

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress
Vendors & Products Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.
Title ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.9 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client'
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Elextensions Elex Wordpress Plugin
Elula Wsdesk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:16.477Z

Reserved: 2025-09-05T17:36:58.320Z

Link: CVE-2025-10039

cve-icon Vulnrichment

Updated: 2025-11-21T13:24:19.966Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-21T13:15:45.467

Modified: 2025-11-26T16:49:15.313

Link: CVE-2025-10039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses