Skip to main content

Support Ticket Management System CVE-2025-69179

| EUVDEUVD-2025-210237 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-17 Patchstack
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

WordPress plugin reachable over HTTP with no auth or user interaction (AV:N/AC:L/PR:N/UI:N), and CWE-266 privilege escalation to administrator yields full C/I/A impact within the WordPress trust boundary (S:U).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:37 vuln.today

DescriptionCVE.org

Unauthenticated Privilege Escalation in Support Ticket Management System <= 1.9 versions.

AnalysisAI

Privilege escalation in the Support Ticket Management System WordPress plugin (versions 1.9 and earlier) by Theme Passion allows remote unauthenticated attackers to elevate privileges on affected WordPress sites. With a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and is tracked in the Patchstack database. Successful exploitation likely yields administrator-level access to the WordPress instance, enabling full site takeover.

Technical ContextAI

The affected component is the Support Ticket Management System plugin for WordPress, published by Theme Passion (CPE: cpe:2.3:a:theme_passion:support_ticket_management_system). The plugin extends WordPress with helpdesk/ticketing functionality and integrates with the standard WordPress user/role model. The root cause is classified as CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns a privilege or role to a user (or an unauthenticated request context) that is broader than intended - typically due to missing capability checks, missing nonce verification, or unsafe handling of role/meta parameters on a publicly reachable AJAX or REST endpoint. Because WordPress capabilities gate access to virtually all site functionality, a flaw in how this plugin assigns or persists role/meta values directly translates into account-level privilege escalation within the WordPress authorization model.

RemediationAI

No vendor-released patch identified at time of analysis; the Patchstack entry covers versions up to and including 1.9 without naming a fixed release in the supplied data, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/support_ticket/vulnerability/wordpress-support-ticket-management-system-plugin-1-9-privilege-escalation-vulnerability and the Theme Passion plugin page for an updated version above 1.9, upgrading immediately if one is published. Until a patched release is confirmed, the safest compensating control is to deactivate and remove the Support Ticket Management System plugin (side effect: ticketing functionality is lost - provide an alternative support channel such as email or a different helpdesk plugin), or alternatively restrict access to the plugin's AJAX/REST endpoints (admin-ajax.php actions and any /wp-json/ routes registered by the plugin) at the WAF/reverse-proxy layer to authenticated administrator IPs (side effect: legitimate ticket submitters will be blocked, so this only suits closed deployments). Hardening steps that reduce blast radius include enforcing 2FA on all administrator accounts, auditing wp_users and wp_usermeta for unexpected role assignments created since the plugin was installed, and rotating credentials for any account that may have been promoted.

Share

CVE-2025-69179 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy