What the vulnerability does
01Description
The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket.
Explanation of Vulnerability in Simple Terms
02Summary
The HAPPY Helpdesk Support Ticket System through version 1.0.9 lacks proper authorization checks, allowing authenticated users to modify data they should not have access to. An attacker with low-level credentials can alter ticket information or other system records without proper permission validation. This affects the integrity of support ticket data and could allow unauthorized changes to ticket status, assignments, or content.
What an attacker can do
03Attacker Capabilities
Modify helpdesk tickets and data belonging to other users or departments without authorization.
Potential impact on your site
04Site Impact
Support ticket data can be altered by unauthorized users, compromising ticket integrity and audit trails.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level access to the system.
Key dates
06Disclosure timeline
December 13, 2025
CVE published
April 8, 2026
Record updated