Skip to main content

JS Help Desk CVE-2026-48887

| EUVDEUVD-2026-36861 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-7cxr-wpq9-9fw9
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable unauthenticated endpoint with no interaction; impact limited to low integrity and availability with no confidentiality loss and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:54 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.

AnalysisAI

Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote attackers to perform unauthorized actions against the help desk system, impacting both integrity and availability. The flaw, rooted in missing authorization checks (CWE-862), allows network-accessible exploitation with no credentials, no user interaction, and low attack complexity. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial exploitation profile warrants prompt remediation on any internet-exposed WordPress deployment.

Technical ContextAI

JS Help Desk is a WordPress support-ticket plugin developed by vendor 'ahmad', identified via CPE cpe:2.3:a:ahmad:js_help_desk:*:*:*:*:*:*:*:*. CWE-862 (Missing Authorization) describes the root cause: one or more plugin endpoints or AJAX actions fail to verify whether the requesting user holds the necessary capability or role before executing sensitive operations. In WordPress, plugins commonly register REST API routes or admin-ajax handlers that must explicitly call current_user_can() or equivalent checks; omitting these checks allows any HTTP client - authenticated or not - to invoke restricted functionality. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the flaw is reachable over the network without any credentials or user interaction, consistent with a publicly registered but inadequately guarded WordPress endpoint.

RemediationAI

The primary remediation is to upgrade the JS Help Desk plugin beyond version 3.0.9; the exact patched version is not confirmed in available data - verify the latest release in the WordPress plugin repository and cross-check the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-0-9-broken-access-control-vulnerability for a confirmed fix version before deploying. If an upgrade is not immediately possible, a practical compensating control is to place the WordPress site behind authentication at the web server or WAF layer (e.g., HTTP Basic Auth on wp-admin and admin-ajax.php), which prevents unauthenticated access to plugin AJAX handlers - note this may disrupt legitimate front-end ticket submission by unauthenticated users if the plugin supports public ticket creation. Alternatively, a WAF rule blocking unexpected parameter combinations on admin-ajax.php or the plugin's REST routes can reduce exposure. Neither workaround is a substitute for patching. Monitor the WordPress plugin update channel and Patchstack for a confirmed patched release.

CVE-2023-50839 CRITICAL POC
9.3 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He

CVE-2024-43274 CRITICAL
9.8 Nov 01

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Accessing Func

CVE-2024-31273 CRITICAL
9.8 Jun 09

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.3. Rated critical s

CVE-2026-48886 CRITICAL
9.3 Jun 15

SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to

CVE-2022-47151 HIGH
8.6 Apr 17

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He

CVE-2026-32534 HIGH
8.5 Mar 25

JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to exe

CVE-2026-56054 HIGH
7.7 Jun 25

Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-p

CVE-2024-13606 HIGH
7.5 Feb 13

The JS Help Desk - The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information E

CVE-2026-32535 MEDIUM
6.5 Mar 25

JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct obje

CVE-2022-46842 MEDIUM
5.4 Feb 02

Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions. Rated medium severity (CVSS 5.

Share

CVE-2026-48887 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy