CVE-2024-12171
📋 TL;DR
The ELEX WordPress HelpDesk & Customer Ticketing System plugin has a privilege escalation vulnerability that allows authenticated attackers with Subscriber-level access or higher to create new administrative user accounts. This affects all WordPress sites using the plugin up to version 3.2.6. Attackers can gain full administrative control of vulnerable WordPress installations.
💻 Affected Systems
- ELEX WordPress HelpDesk & Customer Ticketing System
📦 What is this software?
Wsdesk by Elula
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers create admin accounts, install backdoors, deface websites, steal sensitive data, and use the compromised site for further attacks.
Likely Case
Attackers create hidden admin accounts to maintain persistent access, install malware, or use the site for spam/phishing campaigns.
If Mitigated
With proper monitoring and access controls, unauthorized admin creation would be detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access but only at the lowest WordPress user level (Subscriber). The vulnerability is in an AJAX endpoint that lacks proper capability checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3227859/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-one.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'ELEX HelpDesk & Customer Support Ticket System'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.2.7+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or block access to the vulnerable 'eh_crm_agent_add_user' AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_eh_crm_agent_add_user', 'eh_crm_agent_add_user');
Add to .htaccess if using Apache: RewriteCond %{QUERY_STRING} action=eh_crm_agent_add_user [NC]\nRewriteRule .* - [F,L]
🧯 If You Can't Patch
- Disable the ELEX HelpDesk plugin completely until patched
- Implement strict user role monitoring and alert on any new admin user creation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ELEX HelpDesk version. If version is 3.2.6 or lower, you are vulnerable.Check Version:
wp plugin list --name='ELEX HelpDesk & Customer Support Ticket System' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.2.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- WordPress audit logs showing new admin user creation from non-admin accounts
- Apache/Nginx logs with POST requests to /wp-admin/admin-ajax.php with action=eh_crm_agent_add_user
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=eh_crm_agent_add_user' parameter from non-admin IPs
SIEM Query:
source="wordpress.log" AND "New user created" AND user_role="administrator" AND created_by!="admin"🔗 References
- https://plugins.trac.wordpress.org/changeset/3227859/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-one.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3213791%40elex-helpdesk-customer-support-ticket-system&new=3213791%40elex-helpdesk-customer-support-ticket-system&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cbcd978b-e81f-4c39-b2f7-adc948d21b1b?source=cve
