The ELEX WordPress HelpDesk & Customer Ticketing System plugin allows authenticated users with Subscriber level or higher to invoke the eh_crm_restore_data() function without performing a capability check. By exploiting this missing authorization, an attacker can restore tickets to a prior state or revert changes, effectively tampering with ticket data. The primary impact is the ability to modify or roll back support tickets, which can compromise data integrity and potentially leak sensitive information. This flaw aligns with CWE‑862, missing authorization. The CVSS base score of 4.3 places it in the moderate range, indicating that while the vulnerability is exploitable, it does not enable arbitrary code execution or privilege escalation beyond the existing user role.

All installations of the ELEX WordPress HelpDesk & Customer Ticketing System plugin with version 3.3.1 or earlier are affected. The plugin is distributed as a WordPress add‑on by the vendor EleExtensions. Users of the free WordPress version of the plugin are at risk if they have not upgraded past version 3.3.1.

The exploit requires authenticated access, so an attacker must first obtain a valid WordPress account with Subscriber or higher privileges. The EPSS score of less than 1% indicates a very low probability of real‑world exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, the moderate CVSS rating means that once authenticated, the attacker can modify support ticket content, potentially leading to data tampering, loss of trust, and operational disruption. The lack of a remote exploit path and the need for legitimate account credentials further reduce immediate danger, but the flaw still permits a malicious user within the system to manipulate ticket history.