PatchSiren cyber security CVE debrief
CVE-2026-48964 ELEXtensions CVE debrief
A high-severity SQL injection vulnerability was discovered in the ELEX WordPress HelpDesk & Customer Ticketing System plugin, affecting versions 3.3.6 and below. The vulnerability, tracked as CVE-2026-48964, has a CVSS score of 8.5 and allows authenticated subscribers to inject malicious SQL code.
- Vendor
- ELEXtensions
- Product
- ELEX WordPress HelpDesk & Customer Ticketing System
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the ELEX WordPress HelpDesk & Customer Ticketing System plugin, particularly those with subscriber-level access, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists due to inadequate input sanitization, allowing subscribers to inject malicious SQL code. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L.
Defensive priority
High
Recommended defensive actions
- Update the ELEX WordPress HelpDesk & Customer Ticketing System plugin to a version that addresses this vulnerability.
- Limit subscriber-level access to sensitive areas of the plugin.
- Monitor for suspicious activity that may indicate exploitation of this vulnerability.
Evidence notes
Evidence for this CVE comes from Patchstack, a reputable source for WordPress plugin vulnerabilities.
Official resources
-
CVE-2026-48964 CVE record
CVE.org
-
CVE-2026-48964 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-48964 was published on 2026-06-15T21:17:18.200Z and modified on 2026-06-15T21:24:32.790Z.