Description
Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.2.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Immediate Patch
AI Analysis

Impact

Missing authorization in the WPFactory Helpdesk Support Ticket System for WooCommerce plugin allows attackers to access and manipulate support tickets without proper authentication. The vulnerability stems from incorrectly configured access control levels, meaning any user who can reach the plugin’s endpoints can perform privileged actions such as viewing, editing, or deleting tickets, potentially exposing sensitive customer information. Overall, an attacker could alter ticket data or gather confidential details, compromising the integrity and confidentiality of the WordPress site.

Affected Systems

All installations of the WPFactory Helpdesk Support Ticket System for WooCommerce through version 2.1.2 are susceptible. Sites hosting this plugin, especially those that expose administrative pages to the internet or that use insufficient role restrictions, are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity while an EPSS less than 1% suggests a low of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote web-based access; attackers can craft unauthenticated HTTP requests to plugin endpoints that lack proper access checks, achieving the exploit without any special credentials.

Generated by OpenCVE AI on March 26, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to a version newer than 2.1.2
  • Verify that the plugin’s admin and public endpoints are protected by appropriate authentication checks
  • If an immediate upgrade is not possible, restrict access to the plugin’s administrative pages through role-based access controls or by removing the endpoints from the public URL space

Generated by OpenCVE AI on March 26, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfactory
Wpfactory helpdesk Support Ticket System For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpfactory
Wpfactory helpdesk Support Ticket System For Woocommerce

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.2.
Title WordPress Helpdesk Support Ticket System for WooCommerce plugin <= 2.1.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpfactory Helpdesk Support Ticket System For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:47:34.195Z

Reserved: 2026-01-19T16:14:52.937Z

Link: CVE-2026-23977

cve-icon Vulnrichment

Updated: 2026-03-26T19:47:07.577Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:36.557

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-23977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:32Z

Weaknesses