What the vulnerability does
01Description
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets.
Explanation of Vulnerability in Simple Terms
02Summary
The ELEX WordPress HelpDesk & Customer Ticketing System plugin through version 3.2.9 contains an authorization flaw that allows authenticated users to access sensitive information they should not be able to view. A logged-in user with low privileges can read data belonging to other users or the system without additional interaction. The vulnerability has a low confidentiality impact and does not affect data integrity or availability.
What an attacker can do
03Attacker Capabilities
Read sensitive information or data belonging to other users or the system.
Potential impact on your site
04Site Impact
Other users' helpdesk tickets, customer information, or internal system data may be exposed to any logged-in user.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level privileges.
Key dates
06Disclosure timeline
November 21, 2025
CVE published
April 8, 2026
Record updated