CVE-2025-13534
BaseFortify
Publication date: 2025-12-02
Last updated on: 2025-12-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elula | wsdesk | to 3.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ELEX WordPress HelpDesk & Customer Ticketing System plugin up to version 3.3.2. It is a privilege escalation flaw caused by missing authorization checks on the eh_crm_edit_agent AJAX action. Authenticated users with Contributor-level access or higher can exploit this to escalate their privileges from limited ticket reply permissions to full administrator capabilities within the helpdesk system.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized full administrative access to the helpdesk system, allowing them to manage tickets, change settings, administer agents, and access sensitive customer data. This could lead to data breaches, unauthorized changes, and disruption of helpdesk operations.