An authenticated SQL injection vulnerability in the ELEX WordPress HelpDesk plugin allows malicious subscribers to execute arbitrary database queries.

The vulnerability allows an authenticated user with "subscriber" privileges to inject malicious SQL commands into the application's database queries due to insufficient input sanitization.

The SQL injection flaw carries a CVSS score of 8.5, indicating a high risk of data exfiltration or unauthorized modification of the WordPress database. An attacker could potentially extract sensitive customer information, credentials, or modify ticket data, leading to severe reputational damage and potential regulatory non-compliance.

Immediate Action: Update the ELEX HelpDesk & Customer Ticketing System plugin to the most recent version where this flaw is patched.

Proactive Monitoring: Inspect database error logs for suspicious SQL syntax errors or unexpected query patterns generated by standard user accounts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious traffic targeting the WordPress site.

Public Exploit Available: false

This vulnerability highlights the risk of third-party plugins in WordPress environments. Site administrators should immediately update the plugin and audit user roles to ensure that access to ticketing systems is restricted to authorized personnel only, minimizing the attack surface.