Threat Entry Updated 2026-02-05

CVE-2025-14079 - Elex Helpdesk Customer Support Ticket System Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action.

PLUGIN Elex Helpdesk Customer Support Ticket System

CVE-2025-14079

MEDIUM CVSS 5.3 2026-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-12-04

CVE-2025-13534 - Elex Helpdesk Customer Support Ticket System Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to escalate their WSDesk privileges from limited "Reply Tickets" permissions to full helpdesk administrator capabilities, gaining unauthorized access to ticket management, settings configuration, agent administration, and sensitive customer data.

PLUGIN Elex Helpdesk Customer Support Ticket System

CVE-2025-13534

MEDIUM CVSS 6.3 2025-12-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-11-26

CVE-2025-10054 - Elex Helpdesk Customer Support Ticket System Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.

PLUGIN Elex Helpdesk Customer Support Ticket System

CVE-2025-10054

MEDIUM CVSS 5.3 2025-11-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-11-26

CVE-2025-10039 - Elex Helpdesk Customer Support Ticket System Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.

PLUGIN Elex Helpdesk Customer Support Ticket System

CVE-2025-10039

MEDIUM CVSS 4.3 2025-11-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-11-26

CVE-2025-11456 - Elex Helpdesk Customer Support Ticket System Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Elex Helpdesk Customer Support Ticket System

CVE-2025-11456

CRITICAL CVSS 9.8 2025-11-21

Risk Score

Open Full Technical Breakdown