CVE-2024-12171: 
WordPress vulnerability analysis and mitigation

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-12171) due to a missing capability check on the 'ehcrmagentadduser' AJAX action in versions up to and including 3.2.6. The vulnerability was publicly disclosed on January 31, 2025, and affects all installations of the plugin below version 3.2.7 (WPScan).

The vulnerability is classified as a Missing Authorization issue (CWE-862) and has received a CVSS v3.1 score of 8.8 (High). The security flaw stems from inadequate capability checks in the AJAX functionality, specifically in the 'ehcrmagentadduser' action. This vulnerability falls under the OWASP Top 10 category A5: Broken Access Control (WPScan).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to create new administrative user accounts in the WordPress installation. This represents a significant security risk as it enables privilege escalation from low-privileged users to administrative access (WPScan).

The vulnerability has been patched in version 3.2.7 of the ELEX WordPress HelpDesk & Customer Ticketing System plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).