Plateforme
wordpress
Composant
happy-helpdesk-support-ticket-system
Corrigé dans
1.0.8
CVE-2025-49372 describes a Remote Code Execution (RCE) vulnerability within the HAPPY Helpdesk Support Ticket System. This flaw allows attackers to achieve Remote Code Inclusion, enabling them to execute arbitrary code on vulnerable systems. The vulnerability impacts versions 0.0.0 through 1.0.7 of the plugin, and a patch is available in version 1.0.8.
The impact of this RCE vulnerability is severe. An attacker exploiting this flaw can execute arbitrary code on the server hosting the WordPress site, potentially gaining complete control over the system. This could lead to data breaches, website defacement, malware installation, and further lateral movement within the network. The Remote Code Inclusion aspect significantly elevates the risk, as attackers can leverage this to execute malicious scripts directly on the server, bypassing typical security controls. Successful exploitation could compromise sensitive customer data, financial information, and other critical assets.
CVE-2025-49372 was publicly disclosed on 2025-11-06. The CVSS score of 10 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) has been observed as of this writing, the nature of the RCE vulnerability makes it a likely target for exploitation by malicious actors. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Websites utilizing the HAPPY Helpdesk Support Ticket System plugin, particularly those running older, unpatched versions (0.0.0 - 1.0.7), are at significant risk. Shared hosting environments where multiple websites share the same server resources are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'include($_REQUEST['happy_file']);' /var/www/html/wp-content/plugins/happy-helpdesk-support-ticket-system/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/happy-helpdesk-support-ticket-system/ | grep -i 'include' # Check for suspicious headersdisclosure
Statut de l'Exploit
EPSS
0.09% (percentile 26%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-49372 is to immediately upgrade the HAPPY Helpdesk Support Ticket System plugin to version 1.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file access permissions within the WordPress environment, implementing a Web Application Firewall (WAF) with rules to block suspicious code inclusion attempts, and carefully reviewing the plugin's code for any unusual or unauthorized file access patterns. After upgrading, confirm the vulnerability is resolved by attempting a code inclusion attempt (safely, in a test environment) and verifying that it is blocked.
Mettez à jour le plugin HAPPY vers la dernière version disponible pour atténuer la vulnérabilité d'exécution de code à distance. Vérifiez la source du plugin sur wordpress.org pour obtenir la mise à jour la plus récente. Envisagez de mettre en œuvre des mesures de sécurité supplémentaires, telles que la limitation de l'accès aux fichiers et répertoires sensibles.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-49372 is a critical Remote Code Execution vulnerability in the HAPPY Helpdesk Support Ticket System plugin for WordPress, allowing attackers to execute arbitrary code via Remote Code Inclusion.
You are affected if you are using HAPPY Helpdesk Support Ticket System versions 0.0.0 through 1.0.7. Check your plugin versions immediately.
Upgrade the HAPPY Helpdesk Support Ticket System plugin to version 1.0.8 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrading is not possible.
While no active exploitation has been confirmed, the CRITICAL severity and RCE nature of the vulnerability suggest a high likelihood of exploitation. Monitor for any signs of attack.
Refer to the official VillaTheme website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-49372.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.