Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Remote HTTP exploitation (AV:N/AC:L), Subscriber auth required (PR:L), no user interaction; SQLi reads cross-component WordPress core tables (S:C/C:H), reported as read-only (I:N) with limited DB load impact (A:L).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions.
AnalysisAI
SQL injection in the ELEX WordPress HelpDesk & Customer Ticketing System plugin (versions <= 3.3.6) allows authenticated users with low-privilege Subscriber accounts to inject arbitrary SQL into backend database queries. Successful exploitation results in high confidentiality impact with a scope change, enabling access to data beyond the plugin's own tables, plus limited availability impact. No public exploit identified at time of analysis, but the disclosure originates from Patchstack's WordPress plugin vulnerability program.
Technical ContextAI
The vulnerability is a CWE-89 SQL Injection flaw in the ELEX HelpDesk & Customer Ticketing System WordPress plugin (CPE cpe:2.3:a:elextensions:elex_wordpress_helpdesk_&_customer_ticketing_system), which provides ticket management functionality for WordPress-based support portals. The root cause class - improper neutralization of special elements in SQL commands - typically arises when user-controlled input from ticket fields, search parameters, or AJAX endpoints is concatenated into database queries without using $wpdb->prepare() or proper escaping. Because WordPress permits self-registration of Subscriber accounts on many sites, this plugin exposes a SQLi sink to the lowest privileged authenticated tier rather than restricting it to support agents or administrators.
RemediationAI
Patch available per vendor advisory (Patchstack), though a specific fixed version is not enumerated in the available data - administrators should upgrade the ELEX HelpDesk plugin to the latest release published on WordPress.org beyond 3.3.6 and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/elex-helpdesk-customer-support-ticket-system/vulnerability/wordpress-elex-wordpress-helpdesk-customer-ticketing-system-plugin-3-3-6-sql-injection-vulnerability for the confirmed patched version. As compensating controls until patching, disable open user registration in WordPress (Settings → General → uncheck 'Anyone can register') to eliminate the trivial Subscriber-account acquisition path, deploy a WAF rule (Patchstack, Wordfence, or equivalent) that flags SQL meta-characters in requests to the plugin's AJAX and REST endpoints, and audit existing Subscriber accounts for anomalous activity; the trade-off of disabling registration is loss of self-service ticket submission for unregistered customers. If the plugin is not essential, deactivating and removing it fully eliminates the exposure.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36863
GHSA-784v-3q4c-pmjg