Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action.
Published: 2026-02-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Change
Action: Patch plugin
AI Analysis

Impact

The vulnerability arises from missing capability checks in the eh_crm_ticket_general function, allowing an authenticated user with Subscriber-level access or higher to invoke the AJAX action and modify global WSDesk settings. This unauthorized change can alter plugin behavior or expose sensitive data, creating a potential configuration attack.

Affected Systems

The affected product is the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. Versions up to and including 3.3.5 are vulnerable. The issue applies to all environments where the plugin is installed and the user role is Subscriber or higher.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV. Attackers need to be authenticated and possess at least Subscriber level privileges to exploit the missing authorization and send the AJAX request, enabling them to change global plugin settings. Once set, the attacker can potentially alter support ticket workflows, redirect notifications, or manipulate configuration to facilitate further attacks.

Generated by OpenCVE AI on April 21, 2026 at 16:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest version (higher than 3.3.5) to apply the missing‑capability fix.
  • If an updated version is not available, remove or disable the eh_crm_ticket_general AJAX endpoint from the plugin, for example by editing the plugin file or using a custom plugin that removes that action.
  • Restrict Subscriber role capabilities, ensuring that users with that role cannot perform AJAX actions that alter global settings, using a role‑management plugin or custom code.
  • Review audit logs for unauthorized changes to plugin settings and monitor for suspicious activity.

Generated by OpenCVE AI on April 21, 2026 at 16:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions elex Wordpress Helpdesk & Customer Ticketing System
Wordpress
Wordpress wordpress
Vendors & Products Elextensions
Elextensions elex Wordpress Helpdesk & Customer Ticketing System
Wordpress
Wordpress wordpress

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action.
Title ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elextensions Elex Wordpress Helpdesk & Customer Ticketing System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:59.143Z

Reserved: 2025-12-04T22:50:16.724Z

Link: CVE-2025-14079

cve-icon Vulnrichment

Updated: 2026-02-05T14:49:36.638Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T10:16:02.050

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:15:40Z

Weaknesses