CVE-2025-10039
📋 TL;DR
The ELEX WordPress HelpDesk plugin has an Insecure Direct Object Reference vulnerability that allows authenticated users with Subscriber-level access or higher to read all support tickets. This affects all versions up to and including 3.2.9. Attackers can exploit this to access sensitive customer support information.
💻 Affected Systems
- ELEX WordPress HelpDesk & Customer Ticketing System
📦 What is this software?
Wsdesk by Elula
⚠️ Risk & Real-World Impact
Worst Case
All customer support tickets containing sensitive information (personal data, payment details, account credentials) are exposed to any authenticated user, leading to data breach and regulatory violations.
Likely Case
Malicious subscribers or compromised accounts access confidential support tickets containing personal information, leading to privacy violations and potential credential harvesting.
If Mitigated
Limited exposure if proper access controls and monitoring are in place, with only authorized support staff having access to sensitive ticket data.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via the vulnerable 'eh_crm_ticket_single_view_client' function. Technical details are publicly available in the references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3391342/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'ELEX HelpDesk & Customer Support Ticket System'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.3.0+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable function
allTemporarily disable the vulnerable 'eh_crm_ticket_single_view_client' function by modifying the plugin code
Edit includes/class-crm-ajax-functions.php and comment out or remove the vulnerable function (around line 259)
Restrict user roles
allTemporarily restrict Subscriber and other non-essential roles from accessing the helpdesk system
Use WordPress role management plugins to modify capabilities
🧯 If You Can't Patch
- Implement strict access controls and monitoring for all authenticated users
- Disable the ELEX HelpDesk plugin entirely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > ELEX HelpDesk version. If version is 3.2.9 or lower, you are vulnerable.Check Version:
wp plugin list --name='ELEX HelpDesk & Customer Support Ticket System' --field=versionVerify Fix Applied:
Verify plugin version is 3.3.0 or higher in WordPress admin panel. Test with authenticated user accounts to confirm ticket access is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to ticket viewing endpoints by non-support staff users
- Multiple ticket ID enumeration attempts from single user accounts
Network Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with action=eh_crm_ticket_single_view_client containing unusual ticket IDs
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php") AND (query_string="action=eh_crm_ticket_single_view_client") AND (user_role="subscriber" OR user_role="contributor")