Skip to main content

VillaTheme HAPPY CVE-2025-68556

MEDIUM
Missing Authorization (CWE-862)
2025-12-23 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 23, 2025 - 12:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.9.

AnalysisAI

Missing authorization controls in VillaTheme HAPPY helpdesk plugin versions up to 1.0.9 allow unauthenticated attackers to bypass access restrictions and interact with support ticket functionality without proper permission verification. This authentication bypass vulnerability affects WordPress installations using the vulnerable plugin and could permit unauthorized access to sensitive support tickets and helpdesk operations. The issue has been reported by Patchstack security researchers with a low EPSS exploitation probability (0.04%) despite the authorization flaw.

Technical ContextAI

VillaTheme HAPPY (happy-helpdesk-support-ticket-system) is a WordPress plugin that provides helpdesk and support ticket management functionality. The vulnerability stems from CWE-862 (Missing Authorization), a common weakness where access control checks are either missing or incorrectly implemented in the plugin's code. Rather than enforcing capability checks before sensitive operations, the plugin accepts requests without validating whether the requesting user has appropriate permissions. This type of flaw typically occurs in WordPress plugin development when developers fail to use WordPress's role-based access control (capabilities system) or implement custom access checks with logical errors. The affected CPE scope covers the HAPPY plugin from version 1.0.0 through 1.0.9 running on WordPress installations.

Affected ProductsAI

VillaTheme HAPPY (happy-helpdesk-support-ticket-system) WordPress plugin versions 1.0.0 through 1.0.9 are affected. The plugin is distributed via the WordPress.org plugin repository under the CPE identifier for WordPress plugins. Organizations can verify their installation version by checking the plugin details in the WordPress admin dashboard.

RemediationAI

Update VillaTheme HAPPY plugin to version 1.0.10 or later, which includes authorization control corrections. In WordPress admin, navigate to Plugins, locate 'HAPPY - Helpdesk Support Ticket System', and click Update. If automatic updates are disabled, download the patched version from the official WordPress plugin repository or from the vendor's website. Administrators should verify that access control is properly enforced by testing that users can only view and modify their own tickets post-update. Reference the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve) for additional technical details. If immediate patching is not possible, restrict direct access to the plugin's helpdesk endpoints using web application firewall rules or WordPress authentication plugins until the fix can be deployed.

Share

CVE-2025-68556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy