Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-11-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The ELEX WordPress HelpDesk & Customer Ticketing System plugin allows anyone to upload any file type because the AJAX endpoint that creates new tickets does not validate the MIME type or file extension. An unauthenticated attacker can therefore upload a malicious script, such as a PHP backdoor, which, if stored in a publicly accessible directory, can be executed by the web server. This flaw enables full compromise of the affected WordPress site and all data it hosts.

Affected Systems

All instances of the ELEX WordPress HelpDesk & Customer Ticketing System plugin running version 3.3.1 or earlier are impacted. The vulnerability applies whether the plugin is used in free or paid editions on any WordPress installation that has not been upgraded to a patched release.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is considered critical, although the EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability is not yet listed in CISA’s KEV catalog. The attack requires no authentication and can be carried out by sending a crafted POST request to the AJAX endpoint; once a file is stored in a world‑executable location it can be run by the server, yielding remote code execution.

Generated by OpenCVE AI on April 21, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest version (3.3.2 or later) where file type validation has been added.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin and delete any files that may have been uploaded through its interface.
  • Configure the hosting environment to prevent execution of files in the plugin’s upload directories, for example by adding an .htaccess rule that denies PHP execution or by setting folder permissions to non‑executable.

Generated by OpenCVE AI on April 21, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Elula
Elula wsdesk
CPEs cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*
Vendors & Products Elula
Elula wsdesk

Mon, 24 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress
Wordpress wordpress Mu
Vendors & Products Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress
Wordpress wordpress Mu

Fri, 21 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Elextensions Elex Wordpress Plugin
Elula Wsdesk
Wordpress Wordpress Wordpress Mu
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:35.745Z

Reserved: 2025-10-07T18:07:44.972Z

Link: CVE-2025-11456

cve-icon Vulnrichment

Updated: 2025-11-21T16:15:57.646Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-21T08:15:48.650

Modified: 2025-11-26T16:51:45.093

Link: CVE-2025-11456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses