Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket subjects in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting (unauthenticated)
Action: Patch Plugin
AI Analysis

Impact

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to stored cross‑site scripting via ticket subjects in all versions up to 3.3.4. The flaw arises because the plugin does not properly sanitize user input or escape output, allowing an attacker to inject arbitrary web scripts that execute whenever a user accesses a page containing the affected ticket. This vulnerability is categorized as CWE‑79.

Affected Systems

All WordPress sites that have installed the ELEX WordPress HelpDesk & Customer Ticketing System plugin from Elextensions, and are running any version up to and including 3.3.4, are affected. Versions beyond 3.3.4 are not known to include this issue.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate to high severity. An EPSS score of less than 1% suggests low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because authentication is not required, the likely attack vector is that an unauthenticated actor creates or modifies a ticket subject containing malicious script tags; any site visitor who browses the affected page will trigger the injected code.

Generated by OpenCVE AI on April 22, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest release of the ELEX plugin that removes the XSS flaw (i.e., a version greater than 3.3.4).
  • If an upgraded version is unavailable, apply server‑side sanitization to ticket subject fields and escape all output, for example by using a WordPress filter such as wp_strip_all_tags before storing or displaying the data.
  • As a temporary measure, disable guest‑user ticket submission or restrict ticket creation to authenticated users until a secure version is deployed.

Generated by OpenCVE AI on April 22, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress
Vendors & Products Elextensions
Elextensions elex Wordpress Plugin
Wordpress
Wordpress wordpress

Mon, 22 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 04:00:00 +0000

Type Values Removed Values Added
Description The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket subjects in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.4 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elextensions Elex Wordpress Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:06.713Z

Reserved: 2025-08-22T13:33:09.992Z

Link: CVE-2025-9343

cve-icon Vulnrichment

Updated: 2025-12-22T16:49:18.889Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T04:16:05.670

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:15:21Z

Weaknesses