exploitDog

CVE-2025-12169

Опубликовано: 21 нояб. 2025

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.

Ссылки

https://plugins.trac.wordpress.org/changeset/3391816
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/ae2ac493-e6df-4083-8601-65635ad342b2?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:elula:wsdesk:*:*:*:*:free:wordpress:*:*

Версия до 3.3.1 (исключая)

EPSS

Процентиль: 12%

0.00039

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-862

Связанные уязвимости

GHSA-q33v-m628-m559

CVSS3: 4.3

github

3 месяца назад

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.

EPSS

Процентиль: 12%

0.00039

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-862