CVE-2025-68837

Vulnerability

Overview The ELEX WordPress HelpDesk & Customer Ticketing System plugin contains a missing authorization vulnerability, specifically a broken access control issue. This affects versions from n/a through 3.3.5. The flaw allows an attacker to exploit incorrectly configured access control security levels, potentially gaining unauthorized access to higher-privileged actions [1].

Exploitation

Details No authentication or special privileges are required to exploit this vulnerability. Attackers can leverage the missing authorization check to perform actions normally restricted to higher-privileged users. This makes the vulnerability attractive for mass-exploit campaigns targeting thousands of WordPress sites, regardless of their traffic or popularity [1].

Impact

Successful exploitation can lead to unauthorized privilege escalation, allowing an attacker to perform administrative actions or access sensitive data. The CVSS v3 base score is 6.5 (Medium), indicating moderate severity but high potential for real-world exploitation [1].

Mitigation

The vendor has released version 3.3.6 which patches the vulnerability. Users are strongly advised to update immediately. If updating is not possible, implementing a mitigation rule (e.g., from Patchstack) can block attacks until the update is applied [1].