Description
Missing Authorization vulnerability in BoldGrid Help Scout help-scout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Help Scout: from n/a through <= 6.5.6.
Published: 2025-01-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw exists in the BoldGrid Help Scout WordPress plugin, versions up to and including 6.5.6, due to incorrectly configured access‑control security levels. The flaw allows attackers to invoke privileged functions without proper authentication, potentially enabling manipulation of the plugin’s internal state.

Affected Systems

The affected product is the BoldGrid Help Scout plugin for WordPress. All releases of the plugin up to and including version 6.5.6 are potentially affected, meaning any WordPress site that has installed these versions is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity and the EPSS score of less than 1% suggests exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be through the plugin’s administrative endpoints or front‑end interfaces that lack proper role checks; exploitation would involve interacting with these interfaces without the required privilege checks.

Generated by OpenCVE AI on May 2, 2026 at 06:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Help Scout plugin to version 6.5.7 or later to correct the broken access control flaw.
  • If the plugin is not required, uninstall or fully disable it from the WordPress installation.
  • Review WordPress user accounts and remove any that have unnecessary administrative permissions that could allow access to the plugin’s configuration.
  • Configure role‑based restrictions to limit access to the plugin’s administrative pages to only the appropriate user roles.

Generated by OpenCVE AI on May 2, 2026 at 06:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2792 Missing Authorization vulnerability in Sprout Apps Help Scout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Help Scout: from n/a through 6.5.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sprout Apps Help Scout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Help Scout: from n/a through 6.5.1. Missing Authorization vulnerability in BoldGrid Help Scout help-scout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Help Scout: from n/a through <= 6.5.6.
Title WordPress Help Scout Plugin <= 6.5.1 - Broken Access Control vulnerability WordPress Help Scout Plugin <= 6.5.6 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sprout Apps Help Scout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Help Scout: from n/a through 6.5.1.
Title WordPress Help Scout Plugin <= 6.5.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:36:34.572Z

Reserved: 2025-01-07T10:22:41.466Z

Link: CVE-2025-22512

cve-icon Vulnrichment

Updated: 2025-01-07T16:22:55.273Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:46.320

Modified: 2026-06-17T08:47:53.643

Link: CVE-2025-22512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:45:36Z

Weaknesses