cleantalk
Vulnerabilities and Security Researches

ELEX WordPress HelpDesk & Customer Ticketing System, CVE-2024-12171

CVE, Research URL

CVE-2024-12171

Home page URL

Security reports for ELEX WordPress HelpDesk & Customer Ticketing System

Application

ELEX WordPress HelpDesk & Customer Ticketing System

Published on
Feb 01, 2025
Research Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.
Affected versions
Min -, max 3.2.7.
Status
vulnerable
Previous vulnerability researches
ELEX WordPress HelpDesk & Customer Ticketing System (CVE-2024-12171) , Feb 02, 2025
ELEX WordPress HelpDesk & Customer Ticketing System (CVE-2025-47658) , May 14, 2025
New vulnerability
Frontend Dashboard (CVE-2025-4474) , May 14, 2025
Frontend Dashboard (CVE-2025-4473) , May 14, 2025
Easy FancyBox – WordPress Lightbox Plugin (CVE-2025-3597) , May 14, 2025
Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! (CVE-2025-26841) , May 14, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2025-47682) , May 14, 2025