ELEX WordPress HelpDesk & Customer Ticketing System
Moderate fix1 remedy
cpe:2.3:a:elula:wsdesk:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.3.0
ELEX WordPress HelpDesk and Customer Ticketing System Missing Authorization Vulnerability in AJAX Action
Vulnerability
Patched
A vulnerability exists in the ELEX WordPress HelpDesk & Customer Ticketing System plugin, affecting all versions through 3.3.0. The issue arises from a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX action. This flaw allows authenticated attackers with Subscriber-level access and above to unauthorizedly modify data by clearing the scheduled triggers option.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of scheduled trigger options, potentially disrupting scheduled tasks or actions within the application.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX action. The request must include a valid nonce for authentication. Once the action is processed, the scheduled triggers option will be cleared.
Remediation
Users are advised to update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.1 or a newer patched version.
Added: Nov 21, 2025, 6:18 AM
Updated: Nov 21, 2025, 6:18 AM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
0.6exploitability
6.4remediation
7.7relevance
1.1threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.