WordPress
CVE-2025-14581
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The HAPPY - Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket.
AnalysisAI
The HAPPY Helpdesk Support Ticket System WordPress plugin up to version 1.0.9 allows authenticated attackers with Subscriber-level access to submit replies to arbitrary support tickets by bypassing authorization checks on the 'submit_form_reply' AJAX action. The vulnerability stems from missing capability validation before processing ticket replies, enabling low-privileged users to manipulate the 'happy_topic_id' parameter and interact with tickets they do not own or are not assigned to. While the CVSS score of 4.3 reflects low-to-medium severity with integrity impact only, the EPSS percentile of 13% and absence of evidence of active exploitation suggest this is not an immediate critical priority, though it should be patched to prevent unauthorized ticket interference.
Technical ContextAI
The vulnerability exists in the AJAX handler for the 'submit_form_reply' action within the HAPPY Helpdesk plugin's ticket reply mechanism (specifically in inc/happy-replies.php at line 585). The root cause is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to implement WordPress capability checks before processing AJAX requests. The 'submit_form_reply' function receives user input (the 'happy_topic_id' parameter) from unauthenticated POST data but does not verify whether the authenticated user has permission to reply to the specified ticket. In WordPress, this typically requires a call to current_user_can() with an appropriate capability before processing the request. The vulnerable code accepts any authenticated user above Subscriber level without validating ticket ownership or assignment status, allowing privilege escalation within the plugin's feature set.
Affected ProductsAI
The HAPPY Helpdesk Support Ticket System plugin for WordPress is affected in all versions up to and including 1.0.9. The plugin is distributed through the official WordPress plugin repository (plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system). The CPE for this plugin would be CPE:2.3:a:happy-helpdesk-support-ticket-system_project:happy-helpdesk-support-ticket-system:*:*:*:*:*:wordpress:*. The vulnerability has been identified and patched in the trunk (development) version as evidenced by the changeset reference, indicating that a fixed release should be available from the WordPress plugin repository.
RemediationAI
Update the HAPPY Helpdesk Support Ticket System plugin to a version released after 1.0.9. The trunk version (development branch) contains the fix as shown in the referenced changeset at plugins.trac.wordpress.org/changeset, which means a patched release has been deployed or will be made available through the WordPress plugin repository. Site administrators should navigate to Plugins > Installed Plugins in their WordPress dashboard, locate 'HAPPY Helpdesk Support Ticket System,' and click 'Update' to install the latest patched version. If an automatic update is not available immediately, verify the plugin version against the official WordPress plugins repository listing at https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b to confirm a patched release has been published. As a temporary mitigation for sites unable to update immediately, restrict Subscriber-level user account creation and audit existing subscriber accounts for suspicious ticket reply activity.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today