Overview
The WordPress Helpdesk Integration plugin, a widely used tool for integrating support desks into WordPress websites, has been identified as having a severe vulnerability. Classified as CVE-2025-9990, this particular vulnerability can lead to Local File Inclusion (LFI), which can provide an attacker with the ability to execute arbitrary PHP code on the server. This has serious implications, as WordPress is one of the most popular content management systems worldwide, and businesses of all sizes use it.
The implications of this vulnerability are far-reaching, potentially affecting thousands of websites. In the hands of malicious actors, this could lead to unauthorized access to sensitive data, bypassing of access controls, and in certain cases, execution of malicious code. This underscores the importance of addressing this vulnerability promptly.
Vulnerability Summary
CVE ID: CVE-2025-9990
Severity: High (CVSS: 8.1)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential for unauthorized access to sensitive data, bypassing of access controls, and execution of malicious code.
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
WordPress Helpdesk Integration Plugin | All up to 5.8.10
How the Exploit Works
The vulnerability exists within the ‘portal_type’ parameter of the WordPress Helpdesk Integration Plugin. An attacker can manipulate this parameter to include and execute arbitrary .php files on the server. This is possible even for unauthenticated attackers and can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Conceptual Example Code
Below is a conceptual example of how this vulnerability might be exploited. In this case, an HTTP request is made with a malicious payload that leverages the ‘portal_type’ parameter.
GET /wp-content/plugins/wp-helpdesk-integration/?portal_type=../../../../malicious.php HTTP/1.1
Host: target.example.comThe above request demonstrates the attacker attempting to execute a malicious PHP file by manipulating the ‘portal_type’ parameter to traverse the file directory, ultimately landing on and executing the ‘malicious.php’ file.
Mitigation and Prevention
The best mitigation at this time is to apply the vendor patch as soon as it becomes available. In the interim, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can provide temporary mitigation. Ensuring robust security practices, such as limiting file upload types and directory access, can also help prevent similar vulnerabilities in the future.