CVE-2024-12171
Published: 01 February 2025
Summary
CVE-2024-12171 is a high-severity Missing Authorization (CWE-862) vulnerability in Elula Wsdesk. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-12171 is a privilege escalation vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress, stemming from a missing capability check on the 'eh_crm_agent_add_user' AJAX action. It affects all versions up to and including 3.2.6. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a crafted AJAX request to the 'eh_crm_agent_add_user' action, they can create new administrative user accounts, effectively granting themselves or others full administrative privileges on the targeted WordPress site.
Wordfence published threat intelligence on the vulnerability, and remediation is available via patches in the WordPress plugin trac repository, including changesets such as 3227859 in class-crm-ajax-functions-one.php and related updates around changeset 3213791. Security practitioners should update to a version beyond 3.2.6 and review existing low-privilege accounts for signs of abuse.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50646
Vulnerability details
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for…
more
authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization check on AJAX action directly enables authenticated low-privilege users to escalate to admin via crafted request, matching Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations, directly addressing the missing capability check on the eh_crm_agent_add_user AJAX action to prevent unauthorized privilege escalation.
Implements least privilege to restrict Subscriber-level users from performing administrative actions like creating new admin accounts.
Manages account creation processes to ensure only authorized users can add administrative accounts, mitigating the core exploit vector.