Cyber Resilience

CVE-2024-12171

High

Published: 01 February 2025

Published
01 February 2025
Modified
24 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12171 is a high-severity Missing Authorization (CWE-862) vulnerability in Elula Wsdesk. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-12171 is a privilege escalation vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress, stemming from a missing capability check on the 'eh_crm_agent_add_user' AJAX action. It affects all versions up to and including 3.2.6. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a crafted AJAX request to the 'eh_crm_agent_add_user' action, they can create new administrative user accounts, effectively granting themselves or others full administrative privileges on the targeted WordPress site.

Wordfence published threat intelligence on the vulnerability, and remediation is available via patches in the WordPress plugin trac repository, including changesets such as 3227859 in class-crm-ajax-functions-one.php and related updates around changeset 3213791. Security practitioners should update to a version beyond 3.2.6 and review existing low-privilege accounts for signs of abuse.

EU & UK References

Vulnerability details

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for…

more

authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization check on AJAX action directly enables authenticated low-privilege users to escalate to admin via crafted request, matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-11456Same product: Elula Wsdesk
CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-0026Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-48634Shared CWE-862
CVE-2026-28193Shared CWE-862
CVE-2026-0845Shared CWE-862
CVE-2025-49723Shared CWE-862

Affected Assets

elula
wsdesk
≤ 3.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations, directly addressing the missing capability check on the eh_crm_agent_add_user AJAX action to prevent unauthorized privilege escalation.

prevent

Implements least privilege to restrict Subscriber-level users from performing administrative actions like creating new admin accounts.

prevent

Manages account creation processes to ensure only authorized users can add administrative accounts, mitigating the core exploit vector.

References