Overview
CVE-2025-12085 identifies a medium-severity vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. This flaw allows authenticated attackers with Subscriber-level access or higher to unauthorizedly empty the ticket trash. The vulnerability stems from a missing capability check within the eh_crm_settings_empty_trash function.
This means even users with limited privileges can potentially delete important ticket data, leading to data loss and disruption of customer support operations. All versions up to and including 3.3.1 are affected.
Technical Details
The vulnerability resides in the eh_crm_settings_empty_trash function within the ELEX HelpDesk plugin. This function is responsible for emptying the ticket trash. However, it lacks a proper capability check to verify if the user initiating the action has the necessary permissions to perform this task. As a result, an authenticated user with Subscriber-level access can trigger this function and permanently delete tickets in the trash.
The vulnerable code can be found within the includes/class-crm-ajax-functions-two.php file of the plugin.
CVSS Analysis
The vulnerability has been assigned a CVSS score of 4.3 (Medium).
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): None (N)
- Integrity Impact (I): Low (L)
- Availability Impact (A): None (N)
While the CVSS score is medium, the impact on data integrity should be considered when prioritizing patching.
Possible Impact
The unauthorized emptying of the ticket trash can have the following impact:
- Data Loss: Important customer support tickets can be permanently deleted, hindering the ability to resolve issues and provide adequate support.
- Reputation Damage: Inability to track and resolve customer issues can negatively impact the organization’s reputation.
- Operational Disruption: Loss of ticket data can disrupt customer support operations and workflows.
Mitigation or Patch Steps
The recommended mitigation is to update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest version. This issue has been patched in versions greater than 3.3.1. Follow these steps:
- Log into your WordPress admin dashboard.
- Navigate to Plugins > Installed Plugins.
- Locate the “ELEX WordPress HelpDesk & Customer Ticketing System” plugin.
- If an update is available, click the “Update Now” button.
- Verify that the updated version is greater than 3.3.1.
If an update is not immediately available, consider temporarily disabling the plugin until you can update to a patched version.
