{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14581", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-12T14:47:24.270Z", "datePublished": "2025-12-13T03:20:24.738Z", "dateUpdated": "2026-04-08T16:46:43.340Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:43.340Z"}, "affected": [{"vendor": "villatheme", "product": "HAPPY \u2013 Helpdesk Support Ticket System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HAPPY \u2013 Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket."}], "title": "HAPPY \u2013 Helpdesk Support Ticket System <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Reply", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/trunk/inc/happy-replies.php#L585"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/tags/1.0.9/inc/happy-replies.php#L585"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417847%40happy-helpdesk-support-ticket-system&new=3417847%40happy-helpdesk-support-ticket-system&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-03T17:26:51.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-12T14:47:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:25:17.847619Z", "id": "CVE-2025-14581", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:34:49.982Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14581", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:25:17.847619Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:25:19.037Z"}}], "cna": {"title": "HAPPY \u2013 Helpdesk Support Ticket System <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Reply", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "villatheme", "product": "HAPPY \u2013 Helpdesk Support Ticket System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-03T17:26:51.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-12T14:47:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/trunk/inc/happy-replies.php#L585"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/tags/1.0.9/inc/happy-replies.php#L585"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417847%40happy-helpdesk-support-ticket-system&new=3417847%40happy-helpdesk-support-ticket-system&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The HAPPY \u2013 Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:43.340Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14581", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:43.340Z", "dateReserved": "2025-12-12T14:47:24.270Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T03:20:24.738Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HAPPY \u2013 Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket."}], "id": "CVE-2025-14581", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-12-13T16:16:51.560", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/tags/1.0.9/inc/happy-replies.php#L585"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/trunk/inc/happy-replies.php#L585"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417847%40happy-helpdesk-support-ticket-system&new=3417847%40happy-helpdesk-support-ticket-system&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T03:50:33.274658+00:00", "value": {"mitigation_remediation": ["Upgrade the HAPPY \u2013 Helpdesk Support Ticket System plugin to any version newer than 1.0.9, which corrects the missing capability check on the reply action.", "If an upgrade is not immediately possible, limit the ability to reply to tickets by assigning a custom capability that only administrators or dedicated support staff possess, and modify the plugin to enforce that capability before processing reply submissions.", "As a temporary protection, suppress the \u2018submit_form_reply\u2019 AJAX action for roles below administrator by adding a filter or custom code that blocks the request until the official patch is available."], "summary": {"action": "Patch Update", "impact": "Unauthorized Ticket Reply Access"}, "threat_synthesis": {"affected_systems": "This weakness exists in the villatheme HAPPY \u2013 Helpdesk Support Ticket System plugin for WordPress in all releases up to and including 1.0.9.", "description_and_impact": "The plugin contains a missing capability check on the \u2018submit_form_reply\u2019 AJAX action, which is a classic missing authorization flaw (CWE\u2011862). The flaw allows any authenticated WordPress user with Subscriber level or higher to alter any support ticket by manipulating the \u2018happy_topic_id\u2019 parameter, even if they are not the ticket owner or have not been assigned to the ticket. This can be used to inject unwanted or misleading content into tickets, effectively compromising the integrity of the support system.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate level of severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Once an attacker is authenticated with Subscriber or higher privileges, they can abuse the flaw by sending a crafted AJAX request to the reply endpoint, requiring no additional conditions."}}}}, "created": "2025-12-14T21:14:59.382436+00:00", "updated": "2026-04-22T04:00:07.986812+00:00", "vendors": ["villatheme", "villatheme$PRODUCT$happy", "wordpress", "wordpress$PRODUCT$wordpress"]}