平台
wordpress
组件
elex-helpdesk-customer-support-ticket-system
修复版本
3.3.3
CVE-2025-13534 describes a Privilege Escalation vulnerability affecting the ELEX WordPress HelpDesk & Customer Ticketing System plugin. An authenticated attacker with Contributor-level access or higher can exploit this flaw to gain full administrator privileges within the helpdesk system. This vulnerability impacts versions 0.0.0 through 3.3.2 of the plugin and has been resolved in version 3.3.3.
Successful exploitation of CVE-2025-13534 allows an attacker to bypass authorization checks and elevate their privileges to a full helpdesk administrator. This grants them complete control over the WSDesk system, including the ability to manage tickets, configure settings, add or remove agents, and access sensitive customer data. The potential impact is significant, as the attacker can compromise the confidentiality, integrity, and availability of the entire helpdesk system and the data it contains. This vulnerability is particularly concerning given the sensitive nature of customer support interactions and the potential for data breaches.
CVE-2025-13534 was publicly disclosed on December 2, 2025. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 6.3 (MEDIUM) indicates a moderate risk level.
Websites utilizing the ELEX WordPress HelpDesk & Customer Ticketing System plugin, particularly those with multiple users assigned the Contributor role, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromised Contributor account on one site could potentially be leveraged to attack others.
• wordpress / composer / npm:
grep -r 'eh_crm_edit_agent' /var/www/html/wp-content/plugins/elex-wordpress-helpdesk/• wordpress / composer / npm:
wp plugin list --status=all | grep elex-wordpress-helpdesk• wordpress / composer / npm:
wp plugin update elex-wordpress-helpdesk --alldisclosure
漏洞利用状态
EPSS
0.06% (20% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13534 is to immediately upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter access controls within WordPress itself to limit the permissions granted to Contributor-level users. While not a complete solution, this can reduce the potential impact of the vulnerability. Monitor WordPress access logs for suspicious activity, particularly attempts to access the ehcrmedit_agent AJAX action. After upgrading, confirm the fix by attempting to access administrative functions with a Contributor-level user account; access should be denied.
更新到 3.3.3 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13534 is a vulnerability in the ELEX WordPress HelpDesk plugin allowing authenticated users with Contributor access to gain administrator privileges. It impacts versions 0.0.0–3.3.2.
If you are using ELEX WordPress HelpDesk & Customer Ticketing System version 0.0.0 through 3.3.2, you are potentially affected by this vulnerability.
Upgrade the ELEX WordPress HelpDesk & Customer Ticketing System plugin to version 3.3.3 or later to resolve the vulnerability.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13534.
Refer to the ELEX WordPress website and plugin documentation for the official advisory and update information regarding CVE-2025-13534.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。