CVE-2025-53571

The HAPPY helpdesk support ticket system plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in versions up to and including 1.0.6 [1]. The plugin fails to properly enforce access control checks, allowing attackers to exploit incorrectly configured security levels. This stems from missing authorization, authentication, or nonce token checks in certain plugin functions [1].

Exploitation

An unauthenticated or low-privileged attacker can exploit this vulnerability without needing any special permissions, as the affected functions lack proper access validation [1]. The exploitation does not require any user interaction and can be performed remotely over the network. This type of broken access control vulnerability is known to be used in mass-exploit campaigns targeting thousands of WordPress websites regardless of their size or traffic [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users, such as administrators [1]. This can lead to unauthorized modifications, data exposure, or complete compromise of the affected WordPress site's helpdesk functionality.

Mitigation

The vendor has released version 1.0.7 which resolves the vulnerability [1]. Users are strongly advised to update the plugin immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until patching is possible [1].