CVE-2025-14581
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Description
The HAPPY - Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket.
Analysis
The HAPPY Helpdesk Support Ticket System WordPress plugin up to version 1.0.9 allows authenticated attackers with Subscriber-level access to submit replies to arbitrary support tickets by bypassing authorization checks on the 'submit_form_reply' AJAX action. The vulnerability stems from missing capability validation before processing ticket replies, enabling low-privileged users to manipulate the 'happy_topic_id' parameter and interact with tickets they do not own or are not assigned to. While the CVSS score of 4.3 reflects low-to-medium severity with integrity impact only, the EPSS percentile of 13% and absence of evidence of active exploitation suggest this is not an immediate critical priority, though it should be patched to prevent unauthorized ticket interference.
Technical Context
The vulnerability exists in the AJAX handler for the 'submit_form_reply' action within the HAPPY Helpdesk plugin's ticket reply mechanism (specifically in inc/happy-replies.php at line 585). The root cause is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to implement WordPress capability checks before processing AJAX requests. The 'submit_form_reply' function receives user input (the 'happy_topic_id' parameter) from unauthenticated POST data but does not verify whether the authenticated user has permission to reply to the specified ticket. In WordPress, this typically requires a call to current_user_can() with an appropriate capability before processing the request. The vulnerable code accepts any authenticated user above Subscriber level without validating ticket ownership or assignment status, allowing privilege escalation within the plugin's feature set.
Affected Products
The HAPPY Helpdesk Support Ticket System plugin for WordPress is affected in all versions up to and including 1.0.9. The plugin is distributed through the official WordPress plugin repository (plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system). The CPE for this plugin would be CPE:2.3:a:happy-helpdesk-support-ticket-system_project:happy-helpdesk-support-ticket-system:*:*:*:*:*:wordpress:*. The vulnerability has been identified and patched in the trunk (development) version as evidenced by the changeset reference, indicating that a fixed release should be available from the WordPress plugin repository.
Remediation
Update the HAPPY Helpdesk Support Ticket System plugin to a version released after 1.0.9. The trunk version (development branch) contains the fix as shown in the referenced changeset at plugins.trac.wordpress.org/changeset, which means a patched release has been deployed or will be made available through the WordPress plugin repository. Site administrators should navigate to Plugins > Installed Plugins in their WordPress dashboard, locate 'HAPPY Helpdesk Support Ticket System,' and click 'Update' to install the latest patched version. If an automatic update is not available immediately, verify the plugin version against the official WordPress plugins repository listing at https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b to confirm a patched release has been published. As a temporary mitigation for sites unable to update immediately, restrict Subscriber-level user account creation and audit existing subscriber accounts for suspicious ticket reply activity.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today