The vulnerability arises from a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in the ELEX WordPress HelpDesk & Customer Ticketing System plugin. Because the endpoint lacks proper authorization validation, any authenticated user with Subscriber-level access and higher can invoke the endpoint to restore all previously deleted tickets. This enables an attacker to recover deleted ticket data, potentially exposing sensitive customer information and compromising the integrity of the support system. The weakness, classified as CWE-862 Missing Authorization Check, is a moderate privilege escalation flaw with a CVSS score of 4.3.

All installations of the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress up to and including version 3.3.1 are affected. The issue is tied to the plugin's core directory, specifically the AJAX handler for restoring trashed tickets. No other versions or products from other vendors are listed as affected.

The risk is moderate due to the CVSS score of 4.3 and a very low EPSS (<1%), indicating that automated exploitation is unlikely. The flaw is not listed in the CISA KEV catalog, suggesting it has not been widely exploited in the wild. The attack vector is local to a user who is authenticated with the site; an attacker needs to know the AJAX endpoint URL or use the plugin’s UI to trigger the restore. An authenticated Subscriber or higher‑level role can perform the action, so the impact is confined to the data within the ticketing system rather than the entire WordPress installation.