CVE-2025-10054
BaseFortify
Publication date: 2025-11-21
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elula | wsdesk | to 3.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress, where a missing capability check in the 'eh_crm_remove_agent' function allows authenticated users with Subscriber-level access or higher to remove roles and capabilities from users who have Administrator, WSDesk Supervisor, or WSDesk Agents roles. Essentially, lower-privileged users can modify higher-privileged user roles without authorization.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with low-level access (Subscriber or above) to remove critical roles and capabilities from high-privilege users such as Administrators or Supervisors. This can lead to disruption of administrative functions, loss of control over the system, and potential denial of service for legitimate administrators.