CVE-2025-13534
📋 TL;DR
The ELEX WordPress HelpDesk plugin has a privilege escalation vulnerability that allows authenticated users with Contributor-level access or higher to elevate their permissions to full helpdesk administrator. This enables unauthorized access to ticket management, settings configuration, and sensitive customer data. All WordPress sites using this plugin up to version 3.3.2 are affected.
💻 Affected Systems
- ELEX WordPress HelpDesk & Customer Ticketing System
📦 What is this software?
Wsdesk by Elula
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the helpdesk system, allowing them to view all customer tickets, modify settings, manage agents, and potentially access sensitive customer data including personal information and support communications.
Likely Case
Malicious contributors or authors escalate their privileges to access and manipulate helpdesk tickets, potentially viewing sensitive customer information or disrupting support operations.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized helpdesk access without broader WordPress admin compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in an AJAX endpoint with missing authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.3.2
Vendor Advisory: https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'ELEX HelpDesk & Customer Support Ticket System'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove the plugin until patched version is released.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable eh_crm_edit_agent AJAX action
Add to theme's functions.php or custom plugin: add_action('init', function() { remove_action('wp_ajax_eh_crm_edit_agent', 'eh_crm_edit_agent_callback'); });
Restrict user roles
allTemporarily remove Contributor and Author roles from users who don't need them
Use WordPress user management or plugins like User Role Editor to restrict permissions
🧯 If You Can't Patch
- Deactivate the ELEX HelpDesk plugin immediately and use alternative support solutions
- Implement strict access controls and monitor all authenticated user activity, especially AJAX requests to helpdesk endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'ELEX HelpDesk & Customer Support Ticket System' version 3.3.2 or lowerCheck Version:
wp plugin list --name='elex-helpdesk-customer-support-ticket-system' --field=versionVerify Fix Applied:
Verify plugin version is higher than 3.3.2 in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to /wp-admin/admin-ajax.php with action=eh_crm_edit_agent from non-admin users
- User role changes in helpdesk system from Contributor/Author to Administrator
Network Indicators:
- POST requests to admin-ajax.php with eh_crm_edit_agent parameter from unexpected user accounts
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "eh_crm_edit_agent" AND (user_role="contributor" OR user_role="author")🔗 References
- https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.2/includes/class-crm-ajax-functions-two.php#L9
- https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php#L9
- https://plugins.trac.wordpress.org/browser/stm-gallery/trunk/stmgallery_v.0.9.php#L121
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3541794b-7c8a-42f8-9688-7f3dbbb08e58?source=cve
