Scan free
MEDIUMCVE-2025-13534CVSS 6.3

CVE-2025-13534: Privilege Escalation in ELEX WordPress HelpDesk

Platform

wordpress

Component

elex-helpdesk-customer-support-ticket-system

Fixed in

3.3.3

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-13534 describes a Privilege Escalation vulnerability affecting the ELEX WordPress HelpDesk & Customer Ticketing System plugin. An authenticated attacker with Contributor-level access or higher can exploit this flaw to gain full administrator privileges within the helpdesk system. This vulnerability impacts versions 0.0.0 through 3.3.2 of the plugin and has been resolved in version 3.3.3.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

Successful exploitation of CVE-2025-13534 allows an attacker to bypass authorization checks and elevate their privileges to a full helpdesk administrator. This grants them complete control over the WSDesk system, including the ability to manage tickets, configure settings, add or remove agents, and access sensitive customer data. The potential impact is significant, as the attacker can compromise the confidentiality, integrity, and availability of the entire helpdesk system and the data it contains. This vulnerability is particularly concerning given the sensitive nature of customer support interactions and the potential for data breaches.

Exploitation Context

CVE-2025-13534 was publicly disclosed on December 2, 2025. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 6.3 (MEDIUM) indicates a moderate risk level.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.06% (20% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L6.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentelex-helpdesk-customer-support-ticket-system
Vendorwordfence
Affected rangeFixed in
0.0.0 – 3.3.23.3.3

Package Information

Active installs
300Niche
Plugin rating
3.9
Requires WordPress
3.0.1+
Compatible up to
6.9.4
Requires PHP
7.1.8+
Homepage

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-13534 is to immediately upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter access controls within WordPress itself to limit the permissions granted to Contributor-level users. While not a complete solution, this can reduce the potential impact of the vulnerability. Monitor WordPress access logs for suspicious activity, particularly attempts to access the ehcrmedit_agent AJAX action. After upgrading, confirm the fix by attempting to access administrative functions with a Contributor-level user account; access should be denied.

How to fix

Update to version 3.3.3, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13534 — Privilege Escalation in ELEX WordPress HelpDesk?

CVE-2025-13534 is a vulnerability in the ELEX WordPress HelpDesk plugin allowing authenticated users with Contributor access to gain administrator privileges. It impacts versions 0.0.0–3.3.2.

Am I affected by CVE-2025-13534 in ELEX WordPress HelpDesk?

If you are using ELEX WordPress HelpDesk & Customer Ticketing System version 0.0.0 through 3.3.2, you are potentially affected by this vulnerability.

How do I fix CVE-2025-13534 in ELEX WordPress HelpDesk?

Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.3 or later to resolve the vulnerability.

Is CVE-2025-13534 being actively exploited?

There is currently no evidence of active exploitation campaigns targeting CVE-2025-13534.

Where can I find the official ELEX WordPress advisory for CVE-2025-13534?

Refer to the ELEX WordPress website and plugin documentation for the official advisory and update information regarding CVE-2025-13534.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs