CVE-2025-12085
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-12-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elula | wsdesk | to 3.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ELEX WordPress HelpDesk & Customer Ticketing System plugin, where a missing capability check in the 'eh_crm_settings_empty_trash' function allows authenticated users with Subscriber-level access or higher to empty the ticket trash without proper authorization.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can delete tickets by emptying the ticket trash, leading to unauthorized modification or loss of data within the HelpDesk system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to a version later than 3.3.1 where the issue is fixed. Additionally, restrict Subscriber-level access and above from performing unauthorized actions until the update is applied.