CVE-2025-68556

Vulnerability

Overview

The HAPPY helpdesk support ticket system plugin for WordPress (versions up to and including 1.0.9) contains a missing authorization vulnerability. This means that certain functions or endpoints within the plugin do not properly verify whether the requesting user has the required privileges. The issue is classified as a broken access control flaw, where the security levels are incorrectly configured, allowing users with lower privileges to perform actions intended for higher-privileged roles [1].

Exploitation

An attacker who has obtained a low-privileged account (e.g., a subscriber or customer) can exploit this vulnerability to execute actions that should be restricted to administrators or support agents. The missing authorization check may also be triggered without proper authentication or nonce verification, making it easier to exploit. The vulnerability is known to be used in mass-exploit campaigns, targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation could allow an attacker to gain unauthorized access to sensitive support ticket data, modify ticket statuses, or perform other administrative actions within the helpdesk system. This could lead to data breaches, privilege escalation, and compromise of the WordPress site's security. The low CVSS score (5.3) reflects the need for some level of access, but the potential for widespread automated attacks increases the real-world risk [1].

Mitigation

The vendor has released version 1.0.10, which addresses the missing authorization issue. Users are strongly advised to update the plugin to this version immediately. For those using Patchstack, enabling auto-updates for vulnerable plugins is recommended. If immediate updating is not possible, consulting with a hosting provider or web developer for temporary workarounds is advised [1].