Overview
CVE-2025-12022 is a medium-severity security vulnerability affecting the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. Specifically, it allows authenticated attackers with Subscriber-level access (or higher) to restore all deleted tickets. This is due to a missing capability check on the eh_crm_settings_restore_trash AJAX endpoint. This vulnerability exists in all versions of the plugin up to and including version 3.3.1.
Technical Details
The vulnerability lies in the lack of proper authorization checks before allowing users to trigger the ticket restoration functionality. The eh_crm_settings_restore_trash AJAX endpoint, responsible for restoring tickets from the trash, fails to verify if the requesting user possesses the necessary capabilities to perform this action. Because of this missing check, any authenticated user, even with the lowest ‘Subscriber’ role, can exploit this endpoint.
The vulnerable code is located within the includes/class-crm-archive-ajax-functions.php file of the plugin. By sending a specially crafted AJAX request to the eh_crm_settings_restore_trash endpoint, an attacker can bypass the intended access restrictions and restore all deleted tickets, potentially exposing sensitive customer data and internal communication.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns a score of 4.3 to CVE-2025-12022, classifying it as a MEDIUM severity vulnerability. The CVSS vector is likely similar to AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This reflects the following characteristics:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely over the network.
- Attack Complexity (AC): Low (L) – The vulnerability is easy to exploit.
- Privileges Required (PR): Low (L) – The attacker requires only low-level privileges (e.g., Subscriber role).
- User Interaction (UI): None (N) – No user interaction is required to trigger the vulnerability.
- Scope (S): Unchanged (U) – The vulnerability’s impact is limited to the affected component.
- Confidentiality Impact (C): None (N) – There is no impact to confidentiality.
- Integrity Impact (I): Low (L) – The attacker can modify data (restore tickets).
- Availability Impact (A): None (N) – There is no impact to system availability.
Possible Impact
Exploitation of CVE-2025-12022 can have several negative consequences:
- Data Exposure: Restoring deleted tickets may reveal sensitive customer information, internal communications, and other confidential data.
- Compliance Violations: The unauthorized restoration of data could potentially lead to violations of data privacy regulations (e.g., GDPR, CCPA).
- Reputational Damage: A security breach involving unauthorized access to and restoration of customer data can significantly damage the reputation of the organization using the vulnerable plugin.
Mitigation or Patch Steps
The recommended mitigation is to update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest version. The vulnerability has been patched in versions released after 3.3.1.
- Update the Plugin: Navigate to the “Plugins” section in your WordPress dashboard and update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest available version.
- Verify the Version: Ensure that you are running a version greater than 3.3.1 to confirm the patch is applied.
- Monitor Activity: Keep an eye on your WordPress site activity logs for any suspicious activity related to ticket restoration.
