CVE-2025-14079
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action.
| CWE | CWE-862 |
| Vendor | elextensions |
| Product | elex wordpress helpdesk & customer ticketing system |
| Published | Feb 5, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for elextensions elex wordpress helpdesk & customer ticketing system
Be the first to know when new medium vulnerabilities affecting elextensions elex wordpress helpdesk & customer ticketing system are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
elextensions / ELEX WordPress HelpDesk & Customer Ticketing System
0 โค 3.3.5
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3449609/
Credits
Itthidej Aramsri