Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.
Published: 2025-11-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in all ELEX WordPress HelpDesk & Customer Ticketing System versions up to and including 3.3.0. A missing capability check on the wp_ajax_eh_crm_settings_empty_scheduled_actions AJAX action allows any authenticated user with the Subscriber role or higher to invoke the endpoint and clear the scheduled triggers option. This results in the loss of scheduled operations and can disrupt the ticketing workflow. The weakness is an authorization flaw (CWE‑862).

Affected Systems

The affected product is the Elextensions ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. All releases up to version 3.3.0 are vulnerable. Users running those versions on a WordPress installation should consider their system compromised if they have not applied a fix.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact. The EPSS score of less than 1 % suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. However, the attack vector is internal and requires an authenticated user, meaning any user who can log in to the site with Subscriber or higher privileges can exploit the flaw by issuing the AJAX request to delete scheduled triggers.

Generated by OpenCVE AI on April 21, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest release that addresses the missing capability check.
  • If an immediate upgrade is not possible, restrict the wp_ajax_eh_crm_settings_empty_scheduled_actions action so that only administrators can use it, for example by adding a role check or removing the capability from lower‑privilege roles.
  • As a temporary workaround, block or remove the vulnerable AJAX endpoint with a firewall rule or by adding custom code that rejects the request from non‑administrator users.

Generated by OpenCVE AI on April 21, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Elula
Elula wsdesk
CPEs cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*
Vendors & Products Elula
Elula wsdesk

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress
Vendors & Products Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 05:45:00 +0000

Type Values Removed Values Added
Description The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.
Title ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.0 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elextensions Elex Wordpress Plugin
Elula Wsdesk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:20.370Z

Reserved: 2025-10-24T14:27:50.723Z

Link: CVE-2025-12169

cve-icon Vulnrichment

Updated: 2025-11-21T14:53:59.660Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-21T06:15:48.037

Modified: 2025-12-03T18:29:07.057

Link: CVE-2025-12169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses