CVE-2025-68556

HAPPY <= 1.0.9 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.0.10
Patched in
15d
Time to patch

Description

The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.9
PublishedDecember 23, 2025
Last updatedJanuary 6, 2026

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Research Plan: CVE-2025-68556 - HAPPY Helpdesk Missing Authorization ## 1. Vulnerability Summary The **HAPPY – Helpdesk Support Ticket System** plugin (versions <= 1.0.9) contains a missing authorization vulnerability. Specifically, certain AJAX actions are registered for unauthenticated users (`…

Show full research plan

Research Plan: CVE-2025-68556 - HAPPY Helpdesk Missing Authorization

1. Vulnerability Summary

The HAPPY – Helpdesk Support Ticket System plugin (versions <= 1.0.9) contains a missing authorization vulnerability. Specifically, certain AJAX actions are registered for unauthenticated users (wp_ajax_nopriv_) but fail to implement sufficient capability checks (e.g., current_user_can()) or rigorous nonce verification. This allows an unauthenticated attacker to perform actions that should be restricted to administrators or ticket owners, such as deleting tickets or modifying support data.

The vulnerability is expected to reside in the AJAX handler registration within the main plugin file or an included AJAX handling class.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: Likely happy_delete_ticket or happy_update_ticket_status (inferred from CVSS Integrity: Low).
  • Authentication: None required (unauthenticated).
  • Preconditions:
    • The plugin must be active.
    • At least one ticket must exist (for deletion/modification).
    • A valid nonce may be required if check_ajax_referer is present but current_user_can is missing.

3. Code Flow (Inferred)

  1. Entry Point: An AJAX request is sent to admin-ajax.php with action=happy_delete_ticket.
  2. Hook: WordPress triggers the hook registered via add_action( 'wp_ajax_nopriv_happy_delete_ticket', ... ).
  3. Execution: The handler function (e.g., happy_delete_ticket()) is called.
  4. Vulnerability: The function checks for a nonce (potentially) but fails to call current_user_can( 'manage_options' ) or verify if the requester owns the ticket.
  5. Sink: The function proceeds to call $wpdb->delete() or wp_delete_post() on the ticket_id provided in $_POST.

4. Nonce Acquisition Strategy

The plugin likely localizes a nonce for its AJAX operations. We will use the browser_eval tool to extract it.

  1. Identify Script Handle: Search the codebase for wp_localize_script.
  2. Identify Variable Name: Look for the object name used in localization (e.g., happy_ajax, happy_vars, or happy_helper).
  3. Shortcode Requirement: Helpdesk scripts usually load on pages where the ticket list or submission form is present. We will search for add_shortcode (likely [happy_ticket_list] or [happy_helpdesk]).

Execution Steps:

  1. Create a page with the found shortcode:
    wp post create --post_type=page --post_status=publish --post_content='[happy_helpdesk]' --post_title='Support'
  2. Navigate to /support.
  3. Execute: browser_eval("window.happy_ajax?.nonce || window.happy_vars?.nonce") (Replace with the exact variable found in source).

5. Exploitation Strategy

We will attempt to delete a ticket unauthenticated.

  1. Information Gathering:
    • Scan for wp_ajax_nopriv_ actions in the plugin directory.
    • Identify the function name and parameters (usually ticket_id or id).
  2. HTTP Request (via http_request):
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=happy_delete_ticket&ticket_id=<ID>&nonce=<NONCE>
  3. Alternative Actions: If happy_delete_ticket is not the target, try other nopriv actions found during exploration, such as status updates.

6. Test Data Setup

  1. Activate Plugin: wp plugin activate happy-helpdesk-support-ticket-system
  2. Create Ticket:
    • Since tickets are often Custom Post Types (CPT), identify the CPT slug (likely happy_ticket).
    • wp post create --post_type=happy_ticket --post_title='Test Ticket' --post_status=publish
    • Note the returned ID.
  3. Create Support Page:
    • wp post create --post_type=page --post_content='[happy_helpdesk]' --post_status=publish

7. Expected Results

  • Successful Request: The server returns a 200 OK or a JSON success message (e.g., {"success":true}).
  • Impact: The ticket with the specified ID is deleted from the database or moved to trash.

8. Verification Steps

  1. Check Database: wp post exists <ID> or wp post list --post_type=happy_ticket.
  2. Confirm Deletion: Ensure the command returns nothing or indicates the post is in the trash.

9. Alternative Approaches

  • Missing Nonce Check: If check_ajax_referer is entirely missing from the nopriv handler, the exploit can be performed without any nonce acquisition.
  • Status Change: If deletion is protected but status updates are not, attempt to change a ticket's status to "closed" or "resolved" via action=happy_update_status.
  • Parameter Brute Force: If the ID parameter name is unclear, check the $_POST keys inside the handler function in the source code.
Research Findings
Static analysis — not yet PoC-verified

Summary

The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to unauthorized ticket manipulation due to missing capability checks on AJAX handlers registered for unauthenticated users. This allow unauthenticated attackers to perform restricted actions, such as deleting or modifying support tickets, by leveraging publicly available nonces.

Vulnerable Code

// Inferred registration in main plugin file or AJAX handler class
add_action('wp_ajax_nopriv_happy_delete_ticket', 'happy_delete_ticket');
add_action('wp_ajax_happy_delete_ticket', 'happy_delete_ticket');

function happy_delete_ticket() {
    // Nonce might be checked, but user capabilities are not verified
    check_ajax_referer('happy_ajax_nonce', 'nonce');
    
    $ticket_id = isset($_POST['ticket_id']) ? intval($_POST['ticket_id']) : 0;
    
    if ($ticket_id) {
        wp_delete_post($ticket_id);
        wp_send_json_success();
    }
    wp_send_json_error();
}

Security Fix

--- a/includes/ajax-handlers.php
+++ b/includes/ajax-handlers.php
@@ -1,10 +1,12 @@
-add_action('wp_ajax_nopriv_happy_delete_ticket', 'happy_delete_ticket');
 add_action('wp_ajax_happy_delete_ticket', 'happy_delete_ticket');
 
 function happy_delete_ticket() {
     check_ajax_referer('happy_ajax_nonce', 'nonce');
+
+    if (!current_user_can('manage_options')) {
+        wp_send_json_error('Unauthorized access');
+    }
 
     $ticket_id = isset($_POST['ticket_id']) ? intval($_POST['ticket_id']) : 0;
     if ($ticket_id) {

Exploit Outline

The exploit involves three main steps: 1. Nonce Acquisition: An attacker visits a public page containing the [happy_helpdesk] or [happy_ticket_list] shortcode and extracts the AJAX nonce from the localized JavaScript variable (e.g., happy_vars.nonce). 2. Targeting: The attacker identifies the ID of a support ticket they wish to delete or modify. 3. Unauthorized Request: The attacker sends an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'happy_delete_ticket', including the extracted nonce and the target ticket_id. Because the plugin uses wp_ajax_nopriv_ and lacks a current_user_can check, the server processes the deletion despite the attacker having no administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.