Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
WordPress plugin reachable over HTTP with no auth or user interaction (AV:N/AC:L/PR:N/UI:N), and CWE-266 privilege escalation to administrator yields full C/I/A impact within the WordPress trust boundary (S:U).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Privilege Escalation in Support Ticket Management System <= 1.9 versions.
AnalysisAI
Privilege escalation in the Support Ticket Management System WordPress plugin (versions 1.9 and earlier) by Theme Passion allows remote unauthenticated attackers to elevate privileges on affected WordPress sites. With a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and is tracked in the Patchstack database. Successful exploitation likely yields administrator-level access to the WordPress instance, enabling full site takeover.
Technical ContextAI
The affected component is the Support Ticket Management System plugin for WordPress, published by Theme Passion (CPE: cpe:2.3:a:theme_passion:support_ticket_management_system). The plugin extends WordPress with helpdesk/ticketing functionality and integrates with the standard WordPress user/role model. The root cause is classified as CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns a privilege or role to a user (or an unauthenticated request context) that is broader than intended - typically due to missing capability checks, missing nonce verification, or unsafe handling of role/meta parameters on a publicly reachable AJAX or REST endpoint. Because WordPress capabilities gate access to virtually all site functionality, a flaw in how this plugin assigns or persists role/meta values directly translates into account-level privilege escalation within the WordPress authorization model.
RemediationAI
No vendor-released patch identified at time of analysis; the Patchstack entry covers versions up to and including 1.9 without naming a fixed release in the supplied data, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/support_ticket/vulnerability/wordpress-support-ticket-management-system-plugin-1-9-privilege-escalation-vulnerability and the Theme Passion plugin page for an updated version above 1.9, upgrading immediately if one is published. Until a patched release is confirmed, the safest compensating control is to deactivate and remove the Support Ticket Management System plugin (side effect: ticketing functionality is lost - provide an alternative support channel such as email or a different helpdesk plugin), or alternatively restrict access to the plugin's AJAX/REST endpoints (admin-ajax.php actions and any /wp-json/ routes registered by the plugin) at the WAF/reverse-proxy layer to authenticated administrator IPs (side effect: legitimate ticket submitters will be blocked, so this only suits closed deployments). Hardening steps that reduce blast radius include enforcing 2FA on all administrator accounts, auditing wp_users and wp_usermeta for unexpected role assignments created since the plugin was installed, and rotating credentials for any account that may have been promoted.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210237