CVE-2026-48964: WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.6 - SQL Injection vulnerability
Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions.
Metrics
- CVSS v3.1
- 8.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
SQL injection vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin, affecting all versions up to and including 3.3.6. The vulnerability is reachable over the network and requires only a low-privilege account (subscriber-level), with no user interaction needed. Successful exploitation gives an attacker direct read access to database contents and can disrupt service availability. No fix version has been published; HarborGuard tracks this advisory and will make a patched rebuild available as soon as an upstream fix is released.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images, including custom-built WordPress images carrying this plugin. Any image found running ELEX WordPress HelpDesk & Customer Ticketing System at version 3.3.6 or earlier is flagged automatically.
AvailableHarborGuard scores this issue at CVSS 8.5 HIGH (v3.1) and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the fixed version the moment one is released upstream. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will follow automatically once a fix version is confirmed.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
Any low-privilege WordPress account (subscriber-level or equivalent) is sufficient; no administrative credentials are needed.
- Victim interactionNot required
No action by any other user or administrator is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required.
Blast Radius
- An attacker reads arbitrary database rows, including stored ticket contents, customer personal data, and session or credential material held in the WordPress database.
- The changed scope (S:C) means impact can extend beyond the plugin itself to other data and services sharing the same database.
- Availability is degraded through resource-exhausting queries that can slow or crash the database service backing the WordPress installation.
How HarborGuard Handles This
Available on HarborGuard: scanning for this CVE is active against all customer images carrying the ELEX WordPress HelpDesk & Customer Ticketing System plugin at any version up to 3.3.6. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle. In the interim, customers are advised to apply compensating controls such as network-policy rules that restrict unauthenticated or low-privilege external access to the affected WordPress instance, web-application firewall rules targeting SQL injection patterns on the plugin's endpoints, and review of subscriber-role access to limit exposure. The moment Patchstack or the vendor publishes a patched release, HarborGuard will make a rebuilt image available at that version; for customers with auto-remediation enabled, a regression-tested rebuild and a PR against affected workloads will follow without manual intervention.
- ELEXtensions / ELEX WordPress HelpDesk & Customer Ticketing System≤ 3.3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L