{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12169", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T14:27:50.723Z", "datePublished": "2025-11-21T05:32:07.823Z", "dateUpdated": "2026-04-08T17:15:20.370Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:20.370Z"}, "affected": [{"vendor": "elextensions", "product": "ELEX WordPress HelpDesk & Customer Ticketing System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option."}], "title": "ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.0 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae2ac493-e6df-4083-8601-65635ad342b2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391816"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-10-24T14:42:58.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-20T16:58:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T14:48:13.175107Z", "id": "CVE-2025-12169", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:58:26.045Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12169", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T14:48:13.175107Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:53:59.660Z"}}], "cna": {"title": "ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.0 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "elextensions", "product": "ELEX WordPress HelpDesk & Customer Ticketing System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-24T14:42:58.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-20T16:58:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae2ac493-e6df-4083-8601-65635ad342b2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391816"}], "descriptions": [{"lang": "en", "value": "The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:20.370Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12169", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:15:20.370Z", "dateReserved": "2025-10-24T14:27:50.723Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T05:32:07.823Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "0501906E-5A9F-4C24-8950-9B718F3A9C5C", "versionEndExcluding": "3.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option."}], "id": "CVE-2025-12169", "lastModified": "2025-12-03T18:29:07.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-11-21T06:15:48.037", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3391816"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae2ac493-e6df-4083-8601-65635ad342b2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:28:30.292519+00:00", "value": {"mitigation_remediation": ["Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to the latest release that addresses the missing capability check.", "If an immediate upgrade is not possible, restrict the wp_ajax_eh_crm_settings_empty_scheduled_actions action so that only administrators can use it, for example by adding a role check or removing the capability from lower\u2011privilege roles.", "As a temporary workaround, block or remove the vulnerable AJAX endpoint with a firewall rule or by adding custom code that rejects the request from non\u2011administrator users."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Data Modification"}, "threat_synthesis": {"affected_systems": "The affected product is the Elextensions ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. All releases up to version 3.3.0 are vulnerable. Users running those versions on a WordPress installation should consider their system compromised if they have not applied a fix.", "description_and_impact": "The vulnerability exists in all ELEX WordPress HelpDesk & Customer Ticketing System versions up to and including 3.3.0. A missing capability check on the wp_ajax_eh_crm_settings_empty_scheduled_actions AJAX action allows any authenticated user with the Subscriber role or higher to invoke the endpoint and clear the scheduled triggers option. This results in the loss of scheduled operations and can disrupt the ticketing workflow. The weakness is an authorization flaw (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact. The EPSS score of less than 1\u202f% suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. However, the attack vector is internal and requires an authenticated user, meaning any user who can log in to the site with Subscriber or higher privileges can exploit the flaw by issuing the AJAX request to delete scheduled triggers."}}}}, "created": "2025-11-24T09:09:55.341161+00:00", "updated": "2026-04-21T01:30:24.402029+00:00", "vendors": ["elextensions", "elextensions$PRODUCT$elex_wordpress_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}