ELEX WordPress HelpDesk & Customer Ticketing System
Moderate fix1 remedy
cpe:2.3:a:elula:wsdesk:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.2.9
ELEX WordPress HelpDesk and Customer Ticketing System Insecure Direct Object Reference Vulnerability
Vulnerability
Patched
A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the ELEX WordPress HelpDesk & Customer Ticketing System plugin, affecting all versions up to and including 3.2.9. The vulnerability arises from insufficient validation of user-controlled keys in the 'eh_crm_ticket_single_view_client' function. This flaw enables authenticated attackers with Subscriber-level access or higher to access and read the contents of all support tickets.
Impact
Exploitation of this vulnerability allows unauthorized access to all support tickets, potentially leading to exposure of sensitive information.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'eh_crm_ticket_single_view_client' endpoint with a user-controlled 'ticket_id' parameter. The absence of proper validation on this parameter will allow access to tickets that the user should not be able to view.
Remediation
Users are advised to update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.0 or later.
Added: Nov 21, 2025, 1:41 PM
Updated: Nov 21, 2025, 3:36 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
2.5exploitability
6.0remediation
7.7relevance
1.1threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.