Vulnerabilities and security researches forelex-helpdesk-customer-support-ticket-system elex-helpdesk-customer-support-ticket-system
Direction: ascendingFeb 02, 2025
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2024-12171
- CVE, Research URL
- Date
- Feb 01, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.
- Affected versions
-
max 3.2.7.
- Status
-
vulnerable
May 14, 2025
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-47658
- CVE, Research URL
- Date
- May 23, 2025
- Research Description
- Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System allows Upload a Web Shell to a Web Server. This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through 3.2.7.
- Affected versions
-
max 3.2.7.
- Status
-
vulnerable
Dec 10, 2025
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-12022
- CVE, Research URL
- Date
- Nov 21, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets.
- Affected versions
-
max 3.3.2.
- Status
-
vulnerable
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-12085
- CVE, Research URL
- Date
- Nov 21, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash.
- Affected versions
-
max 3.3.2.
- Status
-
vulnerable
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-11456
- CVE, Research URL
- Date
- Nov 21, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 3.3.2.
- Status
-
vulnerable
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-10039
- CVE, Research URL
- Date
- Nov 21, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.
- Affected versions
-
max 3.3.0.
- Status
-
vulnerable
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-10054
- CVE, Research URL
- Date
- Nov 21, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.
- Affected versions
-
max 3.3.2.
- Status
-
vulnerable
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-12169
- CVE, Research URL
- Date
- Nov 21, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.
- Affected versions
-
max 3.3.1.
- Status
-
vulnerable
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-13534
- CVE, Research URL
- Date
- Dec 02, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to escalate their WSDesk privileges from limited "Reply Tickets" permissions to full helpdesk administrator capabilities, gaining unauthorized access to ticket management, settings configuration, agent administration, and sensitive customer data.
- Affected versions
-
max 3.3.3.
- Status
-
vulnerable
ELEX WordPress HelpDesk & Customer Ticketing System # CVE-2025-12023
- CVE, Research URL
- Date
- Nov 21, 2025
- Research Description
- The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets.
- Affected versions
-
max 3.3.2.
- Status
-
vulnerable