Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable unauthenticated endpoint with no interaction; impact limited to low integrity and availability with no confidentiality loss and unchanged scope.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.
AnalysisAI
Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote attackers to perform unauthorized actions against the help desk system, impacting both integrity and availability. The flaw, rooted in missing authorization checks (CWE-862), allows network-accessible exploitation with no credentials, no user interaction, and low attack complexity. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial exploitation profile warrants prompt remediation on any internet-exposed WordPress deployment.
Technical ContextAI
JS Help Desk is a WordPress support-ticket plugin developed by vendor 'ahmad', identified via CPE cpe:2.3:a:ahmad:js_help_desk:*:*:*:*:*:*:*:*. CWE-862 (Missing Authorization) describes the root cause: one or more plugin endpoints or AJAX actions fail to verify whether the requesting user holds the necessary capability or role before executing sensitive operations. In WordPress, plugins commonly register REST API routes or admin-ajax handlers that must explicitly call current_user_can() or equivalent checks; omitting these checks allows any HTTP client - authenticated or not - to invoke restricted functionality. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the flaw is reachable over the network without any credentials or user interaction, consistent with a publicly registered but inadequately guarded WordPress endpoint.
RemediationAI
The primary remediation is to upgrade the JS Help Desk plugin beyond version 3.0.9; the exact patched version is not confirmed in available data - verify the latest release in the WordPress plugin repository and cross-check the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-0-9-broken-access-control-vulnerability for a confirmed fix version before deploying. If an upgrade is not immediately possible, a practical compensating control is to place the WordPress site behind authentication at the web server or WAF layer (e.g., HTTP Basic Auth on wp-admin and admin-ajax.php), which prevents unauthenticated access to plugin AJAX handlers - note this may disrupt legitimate front-end ticket submission by unauthenticated users if the plugin supports public ticket creation. Alternatively, a WAF rule blocking unexpected parameter combinations on admin-ajax.php or the plugin's REST routes can reduce exposure. Neither workaround is a substitute for patching. Monitor the WordPress plugin update channel and Patchstack for a confirmed patched release.
More in Js Help Desk
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He
Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Accessing Func
Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.3. Rated critical s
SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He
JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to exe
Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-p
The JS Help Desk - The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information E
JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct obje
Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions. Rated medium severity (CVSS 5.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36861
GHSA-7cxr-wpq9-9fw9