What is the CVSS score of CVE-2023-7337?

CVE-2023-7337 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of WordPress are affected by CVE-2023-7337?

The JS Help Desk WordPress plugin contains a SQL Injection vulnerability affecting version 2.8.2 that could allow attackers to extract sensitive database information or manipulate support ticket…

Is there a public PoC exploit available for CVE-2023-7337?

Yes, a public proof-of-concept exploit is available for CVE-2023-7337. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2023-7337?

Within 24 hours: Identify all WordPress instances running JS Help Desk plugin version 2.8.2 and disable the plugin or restrict access to support ticket functionality. Within 7 days: Implement WAF rules to block malicious cookie payloads targeting 'js-support-ticket-token-tkstatus' and conduct database access logs review for signs of exploitation. Within 30 days: Contact the vendor for patch availability, evaluate alternative support ticketing solutions, or plan for plugin upgrade immediately upon vendor patch release.

WordPress CVE-2023-7337

HIGH

SQL Injection (CWE-89)

2026-03-04 security@wordfence.com

WordPress SQLi

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:37 vuln.today

cvss_changed

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

CVE Published

Mar 04, 2026 - 10:16 nvd

HIGH 7.5

DescriptionCVE.org

The JS Help Desk - AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the 'js-support-ticket-token-tkstatus' cookie in version 2.8.2 due to an incomplete fix for CVE-2023-50839 where a second sink was left with insufficient escaping on the user supplied values and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

Technical ContextAI

Classified as CWE-89 (SQL Injection). The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the 'js-support-ticket-token-tkstatus' cookie in version 2.8.2 due to an incomplete fix for CVE-2023-50839 where a second sink was left with insufficient escaping on the user supplied values and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used

Affected ProductsAI

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the 'js-support-ticket-token-tkstatus

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.