{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10039", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-05T17:36:58.320Z", "datePublished": "2025-11-21T12:28:10.054Z", "dateUpdated": "2026-04-08T17:27:16.477Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:16.477Z"}, "affected": [{"vendor": "elextensions", "product": "ELEX WordPress HelpDesk & Customer Ticketing System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets."}], "title": "ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.9 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ffc0af-9c3d-4f8e-ae0b-e51c0c67dfe1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php#L259"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391342/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-09-17T06:17:55.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-20T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T13:23:42.926190Z", "id": "CVE-2025-10039", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T13:24:30.036Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T13:23:42.926190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T13:24:19.966Z"}}], "cna": {"title": "ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.9 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client'", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "elextensions", "product": "ELEX WordPress HelpDesk & Customer Ticketing System", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.2.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-17T06:17:55.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-20T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ffc0af-9c3d-4f8e-ae0b-e51c0c67dfe1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php#L259"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391342/"}], "descriptions": [{"lang": "en", "value": "The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-21T12:28:10.054Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10039", "state": "PUBLISHED", "dateUpdated": "2025-11-21T13:24:30.036Z", "dateReserved": "2025-09-05T17:36:58.320Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T12:28:10.054Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "9AA8F1F6-1F57-465A-830A-92297F14DEB5", "versionEndExcluding": "3.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets."}], "id": "CVE-2025-10039", "lastModified": "2025-11-26T16:49:15.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-11-21T13:15:45.467", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php#L259"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3391342/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ffc0af-9c3d-4f8e-ae0b-e51c0c67dfe1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:24:30.749741+00:00", "value": {"mitigation_remediation": ["Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.0 or later, which resolves the IDOR issue", "If upgrading immediately is not feasible, deny Subscriber and lower roles from accessing the 'eh_crm_ticket_single_view_client' endpoint by adding a role\u2011based access check or a custom plugin that blocks the request", "Review and adjust user roles and capabilities to ensure only authorized personnel have Subscriber or higher access to the support ticket system"], "summary": {"action": "Apply Patch", "impact": "Data exposure of support ticket contents"}, "threat_synthesis": {"affected_systems": "The affected product is ELEX WordPress HelpDesk & Customer Ticketing System for WordPress, versions up to and including 3.2.9. The plugin is available as a free installation from the WordPress plugin repository and is identified in the cpe entry cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*.", "description_and_impact": "The vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System allows authenticated users with Subscriber level or higher access to read all support tickets. This is caused by an insecure direct object reference in the 'eh_crm_ticket_single_view_client' function, where a user\u2011controlled key is not validated. The result is a confidentiality compromise: attackers can view ticket contents that should be restricted to higher\u2011privileged roles.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate risk, and the EPSS score is less than 1%, suggesting a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need authenticated access at the Subscriber level to exploit this IDOR and read ticket data. They would provide a client\u2011specific key in the request, and the plugin would return the corresponding ticket\u2019s content without proper permission checks."}}}}, "created": "2025-11-24T09:09:18.691536+00:00", "updated": "2026-04-21T01:30:24.395547+00:00", "vendors": ["elextensions", "elextensions$PRODUCT$elex_wordpress_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}