CVE-2025-57972 MEDIUM

CVE-2025-57972: WordPress Helpdesk Support Ticket System for WooCommerce plugin <= 2.1.1 - Broken Access Control vulnerability

Vendor Wpfactory
Product Helpdesk Support Ticket System for WooCommerce
Weakness CWE-862 · Missing authorization
Published September 22, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Helpdesk Support Ticket System for WooCommerce plugin does not properly check user permissions before allowing certain actions. A logged-in user with low privileges can modify data they should not have access to. The vulnerability affects versions up to 2.1.1. Site owners should update to a version newer than 2.1.1 to resolve this issue.

What an attacker can do

03Attacker Capabilities

A logged-in user can modify data they lack authorization to change.

Potential impact on your site

04Site Impact

Unauthorized users may alter ticket data, settings, or other protected information within the helpdesk system.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site (e.g., customer or subscriber role).

Key dates

06Disclosure timeline

September 22, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2026-0974 Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation CVE-2023-47179 WordPress WooODT Lite plugin <= 2.4.6 - Arbitrary Site Option Update vulnerability CVE-2025-12091 Search, Filters & Merchandising for WooCommerce <= 3.0.67 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation CVE-2024-31098 WordPress New Order Notification for Woocommerce plugin <= 2.0.2 - Broken Access Control vulnerability CVE-2024-12316 Jupiter X Core <= 4.8.5 - Missing Authorization to Unauthenticated Popup Template Export