Skip to main content

WordPress CVE-2025-14581

MEDIUM
Missing Authorization (CWE-862)
2025-12-13 security@wordfence.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 18:38 vuln.today
CVE Published
Dec 13, 2025 - 16:16 nvd
MEDIUM 4.3

DescriptionCVE.org

The HAPPY - Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket.

AnalysisAI

The HAPPY Helpdesk Support Ticket System WordPress plugin up to version 1.0.9 allows authenticated attackers with Subscriber-level access to submit replies to arbitrary support tickets by bypassing authorization checks on the 'submit_form_reply' AJAX action. The vulnerability stems from missing capability validation before processing ticket replies, enabling low-privileged users to manipulate the 'happy_topic_id' parameter and interact with tickets they do not own or are not assigned to. While the CVSS score of 4.3 reflects low-to-medium severity with integrity impact only, the EPSS percentile of 13% and absence of evidence of active exploitation suggest this is not an immediate critical priority, though it should be patched to prevent unauthorized ticket interference.

Technical ContextAI

The vulnerability exists in the AJAX handler for the 'submit_form_reply' action within the HAPPY Helpdesk plugin's ticket reply mechanism (specifically in inc/happy-replies.php at line 585). The root cause is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to implement WordPress capability checks before processing AJAX requests. The 'submit_form_reply' function receives user input (the 'happy_topic_id' parameter) from unauthenticated POST data but does not verify whether the authenticated user has permission to reply to the specified ticket. In WordPress, this typically requires a call to current_user_can() with an appropriate capability before processing the request. The vulnerable code accepts any authenticated user above Subscriber level without validating ticket ownership or assignment status, allowing privilege escalation within the plugin's feature set.

Affected ProductsAI

The HAPPY Helpdesk Support Ticket System plugin for WordPress is affected in all versions up to and including 1.0.9. The plugin is distributed through the official WordPress plugin repository (plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system). The CPE for this plugin would be CPE:2.3:a:happy-helpdesk-support-ticket-system_project:happy-helpdesk-support-ticket-system:*:*:*:*:*:wordpress:*. The vulnerability has been identified and patched in the trunk (development) version as evidenced by the changeset reference, indicating that a fixed release should be available from the WordPress plugin repository.

RemediationAI

Update the HAPPY Helpdesk Support Ticket System plugin to a version released after 1.0.9. The trunk version (development branch) contains the fix as shown in the referenced changeset at plugins.trac.wordpress.org/changeset, which means a patched release has been deployed or will be made available through the WordPress plugin repository. Site administrators should navigate to Plugins > Installed Plugins in their WordPress dashboard, locate 'HAPPY Helpdesk Support Ticket System,' and click 'Update' to install the latest patched version. If an automatic update is not available immediately, verify the plugin version against the official WordPress plugins repository listing at https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b to confirm a patched release has been published. As a temporary mitigation for sites unable to update immediately, restrict Subscriber-level user account creation and audit existing subscriber accounts for suspicious ticket reply activity.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-14581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy