Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10
Critical2
High1
Medium7
Reset
Showing 1-10 of 10 records
Threat Entry Updated 2025-12-04

CVE-2025-13534 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to escalate their WSDesk privileges from limited "Reply Tickets" permissions to full helpdesk administrator capabilities, gaining unauthorized access to ticket management, settings configuration, agent administration, and sensitive customer data.

PLUGIN Wsdesk

CVE-2025-13534

MEDIUM CVSS 6.3 2025-12-02
Open Full Technical Breakdown
Threat Entry Updated 2025-11-26

CVE-2025-10054 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.

PLUGIN Wsdesk

CVE-2025-10054

MEDIUM CVSS 5.3 2025-11-21
Open Full Technical Breakdown
Threat Entry Updated 2025-11-26

CVE-2025-10039 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.

PLUGIN Wsdesk

CVE-2025-10039

MEDIUM CVSS 4.3 2025-11-21
Open Full Technical Breakdown
Threat Entry Updated 2025-11-26

CVE-2025-11456 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Wsdesk

CVE-2025-11456

CRITICAL CVSS 9.8 2025-11-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-03

CVE-2025-12169 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.

PLUGIN Wsdesk

CVE-2025-12169

MEDIUM CVSS 4.3 2025-11-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-03

CVE-2025-12085 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash.

PLUGIN Wsdesk

CVE-2025-12085

MEDIUM CVSS 4.3 2025-11-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-03

CVE-2025-12023 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets.

PLUGIN Wsdesk

CVE-2025-12023

MEDIUM CVSS 4.3 2025-11-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-03

CVE-2025-12022 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets.

PLUGIN Wsdesk

CVE-2025-12022

MEDIUM CVSS 4.3 2025-11-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-05

CVE-2025-47658 - Wsdesk Plugin

Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System allows Upload a Web Shell to a Web Server. This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through 3.2.7.

PLUGIN Wsdesk

CVE-2025-47658

CRITICAL CVSS 9.9 2025-05-23
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-12171 - Wsdesk Plugin

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.

PLUGIN Wsdesk

CVE-2024-12171

HIGH CVSS 8.8 2025-02-01
Open Full Technical Breakdown
Scroll to top