Introduction
Attackers can execute arbitrary PHP code on thousands of WordPress sites using the Helpdesk Integration plugin by exploiting a Local File Inclusion flaw. This vulnerability allows unauthenticated users to bypass access controls and potentially take full control of affected servers, exposing sensitive data and business operations to compromise.
The WordPress Helpdesk Integration plugin is a widely used extension for integrating customer support and ticketing systems into WordPress sites. Its adoption spans small businesses to larger organizations seeking to streamline support operations within their WordPress environments. The plugin’s reach means that vulnerabilities like CVE-2025-9990 can have significant real-world impact across a broad spectrum of web properties.
Technical Information
CVE-2025-9990 is a Local File Inclusion (LFI) vulnerability in the WordPress Helpdesk Integration plugin, affecting all versions up to and including 5.8.10. The vulnerability arises from insufficient validation of the portal_type
parameter. Attackers can manipulate this parameter to include arbitrary .php
files from the server filesystem. If an attacker can upload or otherwise place a PHP file on the server, they can use this flaw to execute arbitrary code within the context of the web server process.
The exploitation technique involves sending specially crafted HTTP requests to endpoints that process the portal_type
parameter. By inserting directory traversal sequences (such as ../
), an attacker can escape the intended directory and reference sensitive or attacker-controlled files elsewhere on the server. This is a classic example of CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.
The vulnerability does not require authentication, which means any remote user can attempt exploitation without prior access to the WordPress site. This dramatically increases the risk profile, as automated tools can scan and attack vulnerable sites at scale.
No public code snippets or vulnerable source lines are available in the referenced advisories, but the flaw is confirmed and tracked by multiple security databases.
Affected Systems and Versions
- Product: WordPress Helpdesk Integration plugin
- Affected versions: All versions up to and including 5.8.10
- Vulnerable configuration: Any WordPress site with the Helpdesk Integration plugin installed at or below version 5.8.10