Description
Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions.
Published: 2026-06-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic SQL Injection flaw that exists in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for versions up to 3.3.6. An attacker who can submit crafted input to the plugin’s subscriber handling logic can cause the plugin to embed unsanitized data into a database query. If successful, the attacker may be able to read sensitive information, modify records, or potentially drop entire tables, thereby compromising the confidentiality, integrity, and availability of the site’s data.

Affected Systems

The flaw affects installations of the ELEX WordPress HelpDesk & Customer Ticketing System plugin version 3.3.6 and earlier. Any WordPress site that has this plugin enabled and has not applied the vendor’s update to 3.3.7 or later is vulnerable.

Risk and Exploitability

The CVSS score of 8.5 marks this issue as high severity, and the EPSS score of less than 1% indicates a low current likelihood of exploitation, though the flaw remains publicly documented and could be used opportunistically. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web‑based request to the plugin’s subscriber endpoint; an attacker can trigger the injection without needing privileged credentials, so the attack is feasible for unauthenticated users who can influence the plugin’s input.

Generated by OpenCVE AI on June 16, 2026 at 20:28 UTC.

Remediation

Vendor Solution

Update the WordPress ELEX WordPress HelpDesk & Customer Ticketing System Plugin to the latest available version (at least 3.3.7).

OpenCVE Recommended Actions

  • Update the ELEX WordPress HelpDesk & Customer Ticketing System Plugin to version 3.3.7 or later, ensuring that the new code replaces all vulnerable SQL statements.
  • Remove or disable any custom code that passes unsanitized user input to the plugin’s database queries, and review any template overrides or hooks that might reinstate the vulnerability.
  • Conduct a security scan of the WordPress environment to verify that no other plugins or themes provide similar unsanitized query capabilities, and apply patches or disabling practices as needed to eliminate related risks.

Generated by OpenCVE AI on June 16, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions elex Wordpress Helpdesk & Customer Ticketing System
Wordpress
Wordpress wordpress
Vendors & Products Elextensions
Elextensions elex Wordpress Helpdesk & Customer Ticketing System
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions.
Title WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Elextensions Elex Wordpress Helpdesk & Customer Ticketing System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:21:45.621Z

Reserved: 2026-05-26T19:56:06.747Z

Link: CVE-2026-48964

cve-icon Vulnrichment

Updated: 2026-06-16T01:21:40.598Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:18.200

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')