CVE-2025-67977
Missing Authorization in VillaTheme HAPPY Allows Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| villatheme | happy_helpdesk_support_ticket_system | to 1.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67977 is a high-priority Broken Access Control vulnerability in the WordPress HAPPY Plugin versions up to and including 1.0.8. It arises from missing access control mechanisms in certain plugin functions, allowing unauthenticated users to bypass authorization, authentication, or nonce token checks.
This means attackers can perform actions that should be restricted to higher-privileged users, effectively escalating their privileges without proper permission.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows unauthorized users to perform privileged actions within the WordPress HAPPY Plugin. Such unauthorized access can lead to data manipulation, unauthorized ticket management, or other administrative actions that compromise the integrity and security of the affected system.
Because the vulnerability enables privilege escalation without authentication, it increases the risk of exploitation by attackers, potentially leading to data breaches or service disruptions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated users to bypass authorization and perform privileged actions due to missing access control in the HAPPY WordPress plugin (versions up to 1.0.8). Detection involves monitoring for unauthorized access attempts or actions that should require higher privileges.
While no specific commands are provided, administrators can check plugin versions installed on their WordPress sites to identify if they are running vulnerable versions (β€ 1.0.8). Additionally, reviewing web server logs for suspicious requests targeting the HAPPY plugin endpoints or unusual privilege escalation attempts may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the HAPPY WordPress plugin to version 1.0.9 or later, where the vulnerability has been patched.
Until the update can be applied, users of Patchstack can enable an immediate mitigation rule that blocks attacks targeting this vulnerability.
Additionally, enabling auto-updates for vulnerable plugins can ensure rapid protection against this and similar vulnerabilities.