Vulnerability Details CVE-2025-10054
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.3%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2025-10054
-
cpe:2.3:a:elula:wsdesk:-
-
cpe:2.3:a:elula:wsdesk:1.0.0
-
cpe:2.3:a:elula:wsdesk:1.6.0
-
cpe:2.3:a:elula:wsdesk:1.6.1
-
cpe:2.3:a:elula:wsdesk:1.6.2
-
cpe:2.3:a:elula:wsdesk:1.6.3
-
cpe:2.3:a:elula:wsdesk:1.6.4
-
cpe:2.3:a:elula:wsdesk:1.6.5
-
cpe:2.3:a:elula:wsdesk:1.6.6
-
cpe:2.3:a:elula:wsdesk:1.6.7
-
cpe:2.3:a:elula:wsdesk:1.6.8
-
cpe:2.3:a:elula:wsdesk:1.6.9
-
cpe:2.3:a:elula:wsdesk:1.7.0
-
cpe:2.3:a:elula:wsdesk:1.7.1
-
cpe:2.3:a:elula:wsdesk:1.7.2
-
cpe:2.3:a:elula:wsdesk:1.7.3
-
cpe:2.3:a:elula:wsdesk:2.0.0
-
cpe:2.3:a:elula:wsdesk:2.0.1
-
cpe:2.3:a:elula:wsdesk:2.0.2
-
cpe:2.3:a:elula:wsdesk:3.0.0
-
cpe:2.3:a:elula:wsdesk:3.0.1
-
cpe:2.3:a:elula:wsdesk:3.1.0
-
cpe:2.3:a:elula:wsdesk:3.1.1
-
cpe:2.3:a:elula:wsdesk:3.1.2
-
cpe:2.3:a:elula:wsdesk:3.1.3
-
cpe:2.3:a:elula:wsdesk:3.1.4
-
cpe:2.3:a:elula:wsdesk:3.1.5
-
cpe:2.3:a:elula:wsdesk:3.2.0
-
cpe:2.3:a:elula:wsdesk:3.2.1
-
cpe:2.3:a:elula:wsdesk:3.2.2
-
cpe:2.3:a:elula:wsdesk:3.2.3
-
cpe:2.3:a:elula:wsdesk:3.2.4
-
cpe:2.3:a:elula:wsdesk:3.2.5
-
cpe:2.3:a:elula:wsdesk:3.2.6
-
cpe:2.3:a:elula:wsdesk:3.2.7
-
cpe:2.3:a:elula:wsdesk:3.2.8
-
cpe:2.3:a:elula:wsdesk:3.2.9
-
cpe:2.3:a:elula:wsdesk:3.3.0
-
cpe:2.3:a:elula:wsdesk:3.3.1