CVE-2025-67977
Awaiting Analysis Awaiting Analysis - Queue
Missing Authorization in VillaTheme HAPPY Allows Unauthorized Access

Publication date: 2026-02-20

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67977
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
villatheme happy_helpdesk_support_ticket_system to 1.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67977 is a high-priority Broken Access Control vulnerability in the WordPress HAPPY Plugin versions up to and including 1.0.8. It arises from missing access control mechanisms in certain plugin functions, allowing unauthenticated users to bypass authorization, authentication, or nonce token checks.

This means attackers can perform actions that should be restricted to higher-privileged users, effectively escalating their privileges without proper permission.

Impact Analysis

This vulnerability can have serious impacts as it allows unauthorized users to perform privileged actions within the WordPress HAPPY Plugin. Such unauthorized access can lead to data manipulation, unauthorized ticket management, or other administrative actions that compromise the integrity and security of the affected system.

Because the vulnerability enables privilege escalation without authentication, it increases the risk of exploitation by attackers, potentially leading to data breaches or service disruptions.

Compliance Impact

I don't know

Detection Guidance

This vulnerability allows unauthenticated users to bypass authorization and perform privileged actions due to missing access control in the HAPPY WordPress plugin (versions up to 1.0.8). Detection involves monitoring for unauthorized access attempts or actions that should require higher privileges.

While no specific commands are provided, administrators can check plugin versions installed on their WordPress sites to identify if they are running vulnerable versions (≀ 1.0.8). Additionally, reviewing web server logs for suspicious requests targeting the HAPPY plugin endpoints or unusual privilege escalation attempts may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update the HAPPY WordPress plugin to version 1.0.9 or later, where the vulnerability has been patched.

Until the update can be applied, users of Patchstack can enable an immediate mitigation rule that blocks attacks targeting this vulnerability.

Additionally, enabling auto-updates for vulnerable plugins can ensure rapid protection against this and similar vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart