CVE-2025-68556

2025-12-23 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 23, 2025 - 12:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.9.

Analysis

Missing authorization controls in VillaTheme HAPPY helpdesk plugin versions up to 1.0.9 allow unauthenticated attackers to bypass access restrictions and interact with support ticket functionality without proper permission verification. This authentication bypass vulnerability affects WordPress installations using the vulnerable plugin and could permit unauthorized access to sensitive support tickets and helpdesk operations. The issue has been reported by Patchstack security researchers with a low EPSS exploitation probability (0.04%) despite the authorization flaw.

Technical Context

VillaTheme HAPPY (happy-helpdesk-support-ticket-system) is a WordPress plugin that provides helpdesk and support ticket management functionality. The vulnerability stems from CWE-862 (Missing Authorization), a common weakness where access control checks are either missing or incorrectly implemented in the plugin's code. Rather than enforcing capability checks before sensitive operations, the plugin accepts requests without validating whether the requesting user has appropriate permissions. This type of flaw typically occurs in WordPress plugin development when developers fail to use WordPress's role-based access control (capabilities system) or implement custom access checks with logical errors. The affected CPE scope covers the HAPPY plugin from version 1.0.0 through 1.0.9 running on WordPress installations.

Affected Products

VillaTheme HAPPY (happy-helpdesk-support-ticket-system) WordPress plugin versions 1.0.0 through 1.0.9 are affected. The plugin is distributed via the WordPress.org plugin repository under the CPE identifier for WordPress plugins. Organizations can verify their installation version by checking the plugin details in the WordPress admin dashboard.

Remediation

Update VillaTheme HAPPY plugin to version 1.0.10 or later, which includes authorization control corrections. In WordPress admin, navigate to Plugins, locate 'HAPPY - Helpdesk Support Ticket System', and click Update. If automatic updates are disabled, download the patched version from the official WordPress plugin repository or from the vendor's website. Administrators should verify that access control is properly enforced by testing that users can only view and modify their own tickets post-update. Reference the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve) for additional technical details. If immediate patching is not possible, restrict direct access to the plugin's helpdesk endpoints using web application firewall rules or WordPress authentication plugins until the fix can be deployed.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-68556 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy