Missing authorization controls in the ELEX WordPress HelpDesk & Customer Ticketing System plugin allow attackers to manipulate support tickets. Because the access control levels are incorrectly configured, an unauthenticated or low‑privilege user could read confidential ticket data, edit ticket status, or even impersonate other users, thereby compromising the confidentiality and integrity of support information.

The vulnerable product is the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress, developed by ELEXtensions. All releases through and including version 3.3.5 are affected.

The CVSS base score of 6.5 signals moderate severity, while the EPSS score of less than 1% indicates that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the descriptive statement, the likely attack vector is via the web interface of the affected WordPress site, where the plugin’s endpoints can be accessed without proper role‑based authorization. An attacker would need only to send requests to the plugin’s URLs, potentially exploiting an exposed resource or misconfigured user role. If successful, the attacker could read, modify, or delete support tickets, exposing sensitive customer data and disrupting support workflows.