CVE-2025-49372: 
WordPress vulnerability analysis and mitigation

The HAPPY – Helpdesk Support Ticket System plugin for WordPress contains a Remote Code Execution (RCE) vulnerability (CVE-2025-49372) affecting all versions up to and including 1.0.7. The vulnerability was discovered on October 25, 2025, and allows for Remote Code Inclusion in the VillaTheme HAPPY happy-helpdesk-support-ticket-system plugin (Rapid7, NVD).

The vulnerability is classified as an Improper Control of Generation of Code (Code Injection) vulnerability with a CVSS v3.1 base score of 10.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The vulnerability is tracked under CWE-94 (Improper Control of Generation of Code) and requires no authentication to exploit (NVD, Patchstack).

This vulnerability allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to complete system compromise. The critical CVSS score of 10.0 indicates the highest possible severity, with potential impacts including full system access and data compromise (Rapid7, Patchstack).

The vulnerability has been fixed in version 1.0.8 of the plugin. Users are strongly advised to update to this version immediately. Patchstack has issued a mitigation rule to block any attacks until users can update to the fixed version (Patchstack).

The vulnerability was discovered and reported by security researcher Drew Webber (mcdruid) on October 28, 2025. The high CVSS score and critical nature of the vulnerability has prompted immediate attention from the security community (Patchstack).