A critical vulnerability has been identified in the ELEX WordPress HelpDesk plugin, which allows unauthenticated attackers to upload malicious files to the server. This flaw can be exploited without needing any user credentials, potentially leading to a complete system compromise, data theft, and remote code execution on the affected website.

The vulnerability exists within the eh_crm_new_ticket_post() function, which is responsible for processing new support ticket submissions. The function fails to properly validate the file types of attachments uploaded with a new ticket. An unauthenticated attacker can craft a request to this function, submitting a malicious script (e.g., a PHP web shell) disguised as a standard file attachment. Because the server does not check the file's extension or content, it saves the malicious file to a web-accessible directory, allowing the attacker to execute arbitrary code with the permissions of the web server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a full compromise of the web server, resulting in significant business disruption. Potential consequences include theft of sensitive customer data and intellectual property, website defacement, distribution of malware to site visitors, and the use of the compromised server to launch further attacks. Such an incident poses a severe risk to data confidentiality, integrity, and availability, and can cause substantial reputational damage and financial loss.

Immediate Action: Immediately update The ELEX WordPress HelpDesk plugin to the latest patched version (greater than 3.3.1) across all WordPress instances. After patching, review web server upload directories for any suspicious or unrecognized files and investigate any findings. Review web server access and error logs for indicators of compromise, such as unusual POST requests to the ticket submission endpoint.

Proactive Monitoring: Implement continuous monitoring of web server logs, focusing on POST requests that contain file uploads. Look for attempts to upload files with executable extensions (e.g., .php, .phtml, .phar). Utilize a File Integrity Monitoring (FIM) solution to alert on the creation of new, unauthorized files in web directories. Monitor for anomalous outbound network traffic from the web server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Implement a Web Application Firewall (WAF) with rules specifically designed to block the upload of executable file types.
• Temporarily disable the ELEX WordPress HelpDesk plugin until it can be safely updated.
• Harden the web server configuration to prevent the execution of scripts (like PHP) from the designated uploads directory.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for unauthenticated remote code execution, this vulnerability represents an immediate and severe threat to the organization. We strongly recommend that all affected instances of The ELEX WordPress HelpDesk plugin be patched immediately without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high impact makes it a prime candidate for future inclusion. Organizations must treat this as a top priority for remediation to prevent a full system compromise.