CVE-2025-11456
Published: 21 November 2025
Summary
CVE-2025-11456 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Elula Wsdesk. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-11456 is an arbitrary file upload vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress, affecting all versions up to and including 3.3.1. The flaw stems from missing file type validation in the eh_crm_new_ticket_post() function, enabling attackers to upload arbitrary files to the affected site's server. It is classified under CWE-434 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed ticket submission function, they can upload malicious files, such as web shells, potentially leading to remote code execution on the server.
Advisories and references, including Wordfence threat intelligence and WordPress plugin repository sources, point to the vulnerable code in class-crm-ajax-functions-three.php and a related changeset (3399391). Mitigation involves updating the plugin to a patched version beyond 3.3.1, as indicated by the version scope in the CVE description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-198426
Vulnerability details
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for…
more
unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and facilitates uploading web shells for remote code execution (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs, directly addressing the missing file type validation in the plugin's ticket submission function to prevent arbitrary file uploads.
SI-2 mandates identification, reporting, and correction of system flaws, ensuring timely patching of the vulnerable plugin versions up to 3.3.1.
SI-3 provides malicious code protection mechanisms such as scanning and blocking to mitigate execution of uploaded web shells resulting from the arbitrary file upload.