CVE-2025-12022
📋 TL;DR
The ELEX WordPress HelpDesk plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to restore all deleted tickets. This affects all WordPress sites using the plugin up to version 3.3.1. Attackers can misuse this to disrupt ticket management and potentially access sensitive ticket data.
💻 Affected Systems
- ELEX WordPress HelpDesk & Customer Ticketing System
📦 What is this software?
Wsdesk by Elula
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors restore thousands of deleted tickets, overwhelming the helpdesk system, exposing sensitive customer data from previously deleted tickets, and causing operational disruption.
Likely Case
Low-privilege users restore some deleted tickets, causing confusion in ticket management and minor data exposure of previously deleted ticket contents.
If Mitigated
With proper access controls and monitoring, impact is limited to minor ticket management disruption with quick detection and remediation.
🎯 Exploit Status
Exploitation requires authenticated access but is simple - just needs to call the vulnerable AJAX endpoint with appropriate parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-archive-ajax-functions.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'ELEX HelpDesk & Customer Support Ticket System'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the 'eh_crm_settings_restore_trash' AJAX endpoint
Add to theme's functions.php or custom plugin: add_filter('wp_ajax_eh_crm_settings_restore_trash', '__return_false');
Restrict user capabilities
allTemporarily restrict Subscriber role capabilities to prevent exploitation
Use WordPress role editor plugin or add: $subscriber = get_role('subscriber'); $subscriber->remove_cap('read'); // Temporarily remove basic access
🧯 If You Can't Patch
- Disable the ELEX HelpDesk plugin completely until patched
- Implement strict network access controls to limit who can access the WordPress admin area
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 3.3.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='ELEX HelpDesk & Customer Support Ticket System' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.3.2 or higher. Test with a Subscriber account that AJAX endpoint no longer allows ticket restoration.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=eh_crm_settings_restore_trash
- Unusual ticket restoration activity in helpdesk logs
- Subscriber users performing administrative actions
Network Indicators:
- Unusual AJAX requests from non-admin user accounts to WordPress admin endpoints
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "eh_crm_settings_restore_trash"