vulnerability

WordPress Plugin: elex-helpdesk-customer-support-ticket-system: CVE-2025-14079: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Feb 4, 2026	Feb 5, 2026	Feb 6, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Feb 4, 2026

Added

Feb 5, 2026

Modified

Feb 6, 2026

Description

The ELEX WordPress HelpDesk and Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action.

Solution

elex-helpdesk-customer-support-ticket-system-plugin-cve-2025-14079

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-14079
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=api-prod
CVE-2025-14079
https://attackerkb.com/topics/CVE-2025-14079
CWE-862

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today