Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash.
Published: 2025-11-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized ticket trash deletion
Action: Apply update
AI Analysis

Impact

The ELEX WordPress HelpDesk & Customer Ticketing System plugin contains a missing capability check in the function responsible for emptying the ticket trash. As a result, any authenticated user with a Subscriber role or higher can issue a request that deletes all tickets stored in the trash, causing potential data loss and disrupting ticket history. This flaw does not grant code execution or arbitrary system access, but it does allow an attacker to remove recoverable tickets and affect the service’s integrity.

Affected Systems

WordPress sites running the ELEX WordPress HelpDesk & Customer Ticketing System plugin, versions up to and including 3.3.1. The plugin is offered by Elextensions under the free WordPress plugin titled "ELEX WordPress HelpDesk & Customer Ticketing System."

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while an EPSS score of less than 1% suggests the likelihood of exploitation is currently low. The vulnerability is not listed in CISA’s KEV catalogue. Exploitation requires an attacker to be authenticated with at least Subscriber-level access and to trigger the AJAX endpoint that empties the trash, which is an authenticated attack vector rather than a remote unauthenticated one.

Generated by OpenCVE AI on April 22, 2026 at 11:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest version
  • Revoke or restrict the capability that allows Subscribers to use the empty trash feature by modifying role capabilities (e.g., via code or a role editor plugin)
  • Monitor WordPress logs for unexpected calls to the empty‑trash AJAX endpoint and review any unauthorized activity

Generated by OpenCVE AI on April 22, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Elula
Elula wsdesk
CPEs cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*
Vendors & Products Elula
Elula wsdesk

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress
Vendors & Products Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 05:45:00 +0000

Type Values Removed Values Added
Description The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash.
Title ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Empty
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elextensions Elex Wordpress Plugin
Elula Wsdesk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:29.648Z

Reserved: 2025-10-22T17:56:36.006Z

Link: CVE-2025-12085

cve-icon Vulnrichment

Updated: 2025-11-21T14:54:01.107Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-21T06:15:47.877

Modified: 2025-12-03T18:28:50.630

Link: CVE-2025-12085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses