CVE-2025-11456

Critical

Published: 21 November 2025

Published

21 November 2025

Modified

26 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0065 70.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for…

unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs, directly addressing the missing file type validation in the plugin's ticket submission function to prevent arbitrary file uploads.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of system flaws, ensuring timely patching of the vulnerable plugin versions up to 3.3.1.

SI-3 Malicious Code Protection partial match

preventdetect

SI-3 provides malicious code protection mechanisms such as scanning and blocking to mitigate execution of uploaded web shells resulting from the arbitrary file upload.

Security SummaryAI

CVE-2025-11456 is an arbitrary file upload vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress, affecting all versions up to and including 3.3.1. The flaw stems from missing file type validation in the eh_crm_new_ticket_post() function, enabling attackers to upload arbitrary files to the affected site's server. It is classified under CWE-434 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed ticket submission function, they can upload malicious files, such as web shells, potentially leading to remote code execution on the server.

Advisories and references, including Wordfence threat intelligence and WordPress plugin repository sources, point to the vulnerable code in class-crm-ajax-functions-three.php and a related changeset (3399391). Mitigation involves updating the plugin to a patched version beyond 3.3.1, as indicated by the version scope in the CVE description.

Details

CWE(s): CWE-434

Affected Products

elula

wsdesk

≤ 3.3.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload vulnerability in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and facilitates uploading web shells for remote code execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-three.php?rev=3332203
Product · security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-three.php
Patch · security@wordfence.com
https://wordpress.org/plugins/elex-helpdesk-customer-support-ticket-system/
Product · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/a6f362c1-fe64-4be1-9713-14c0561a59ce?source=cve
Third Party Advisory · security@wordfence.com