WordPress Helpdesk Integration CVE-2025-9990: Brief Summary of Local File Inclusion Vulnerability

This post provides a brief summary of CVE-2025-9990, a Local File Inclusion vulnerability affecting all versions up to and including 5.8.10 of the WordPress Helpdesk Integration plugin. It covers technical details, affected versions, and references for further reading.
CVE Analysis

6 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-04

WordPress Helpdesk Integration CVE-2025-9990: Brief Summary of Local File Inclusion Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can execute arbitrary PHP code on thousands of WordPress sites using the Helpdesk Integration plugin by exploiting a Local File Inclusion flaw. This vulnerability allows unauthenticated users to bypass access controls and potentially take full control of affected servers, exposing sensitive data and business operations to compromise.

The WordPress Helpdesk Integration plugin is a widely used extension for integrating customer support and ticketing systems into WordPress sites. Its adoption spans small businesses to larger organizations seeking to streamline support operations within their WordPress environments. The plugin’s reach means that vulnerabilities like CVE-2025-9990 can have significant real-world impact across a broad spectrum of web properties.

Technical Information

CVE-2025-9990 is a Local File Inclusion (LFI) vulnerability in the WordPress Helpdesk Integration plugin, affecting all versions up to and including 5.8.10. The vulnerability arises from insufficient validation of the portal_type parameter. Attackers can manipulate this parameter to include arbitrary .php files from the server filesystem. If an attacker can upload or otherwise place a PHP file on the server, they can use this flaw to execute arbitrary code within the context of the web server process.

The exploitation technique involves sending specially crafted HTTP requests to endpoints that process the portal_type parameter. By inserting directory traversal sequences (such as ../), an attacker can escape the intended directory and reference sensitive or attacker-controlled files elsewhere on the server. This is a classic example of CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.

The vulnerability does not require authentication, which means any remote user can attempt exploitation without prior access to the WordPress site. This dramatically increases the risk profile, as automated tools can scan and attack vulnerable sites at scale.

No public code snippets or vulnerable source lines are available in the referenced advisories, but the flaw is confirmed and tracked by multiple security databases.

Affected Systems and Versions

  • Product: WordPress Helpdesk Integration plugin
  • Affected versions: All versions up to and including 5.8.10
  • Vulnerable configuration: Any WordPress site with the Helpdesk Integration plugin installed at or below version 5.8.10

References

Detect & fix
what others miss