What the vulnerability does
01Description
Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5.
Explanation of Vulnerability in Simple Terms
02Summary
The ELEX WordPress HelpDesk & Customer Ticketing System plugin through version 3.3.5 does not properly check user permissions before allowing access to sensitive ticket data. A logged-in user with low privileges can read support tickets and customer information they should not have access to. Site administrators should update the plugin immediately to restrict ticket visibility to authorized staff only.
What an attacker can do
03Attacker Capabilities
Read support tickets and customer information belonging to other users or restricted ticket queues.
Potential impact on your site
04Site Impact
Customer support data, including ticket contents and personal information, may be exposed to unauthorized users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the WordPress site (e.g., subscriber or customer role).
Key dates
06Disclosure timeline
February 20, 2026
CVE published
April 28, 2026
Record updated