Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.
Published: 2025-11-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Degradation via Role Removal
Action: Update Plugin
AI Analysis

Impact

The vulnerability resides in the ELEX WordPress HelpDesk & Customer Ticketing System plugin and is caused by a missing capability check in the 'eh_crm_remove_agent' function. This oversight allows any authenticated user with Subscriber-level access or higher to delete or alter the role and capabilities of any user who holds the Administrator, WSDesk Supervisor, or WSDesk Agents role. The attacker can effectively strip an administrator of all privileges, potentially disrupting site management and exposing sensitive data to a lower‑privileged user. The weakness is identified as CWE‑862, a missing authorization control flaw.

Affected Systems

The affected product is the ELEX WordPress HelpDesk & Customer Ticketing System plugin, versions up to and including 3.3.1. The plugin is available as a free WordPress add‑on and is listed in the Common Platform Enumeration.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that exploitation attempts are unlikely to be common. The vulnerability is not present in the CISA Known Exploited Vulnerabilities (KEV) catalog. Because the attacker must already be authenticated with at least a Subscriber role, the attacker does not need to bypass authentication but can exploit this missing check to demote a higher‑privilege account. The overall risk to a WordPress installation is moderate but the probability of exploitation is low.

Generated by OpenCVE AI on April 27, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.2 or later, when the capability check is restored.
  • If an immediate update is unavailable, restrict the AJAX endpoint that triggers 'eh_crm_remove_agent' by adding server‑side access control to allow only administrators to invoke it.
  • Verify that all non‑administrator accounts have only the appropriate Subscriber or lower privileges; temporarily disable or remove any accounts with Subscriber+ access that do not require it.

Generated by OpenCVE AI on April 27, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 26 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Elula
Elula wsdesk
CPEs cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*
Vendors & Products Elula
Elula wsdesk

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress
Vendors & Products Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.
Title ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Role Removal
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elextensions Elex Wordpress Plugin
Elula Wsdesk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:04.753Z

Reserved: 2025-09-05T19:23:46.309Z

Link: CVE-2025-10054

cve-icon Vulnrichment

Updated: 2025-11-21T17:44:34.641Z

cve-icon NVD

Status : Modified

Published: 2025-11-21T13:15:45.657

Modified: 2026-04-08T17:19:55.210

Link: CVE-2025-10054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:00:13Z

Weaknesses