Skip to main content

JS Help Desk EUVDEUVD-2026-39383

| CVE-2026-56054 HIGH
Path Traversal (CWE-22)
2026-06-25 Patchstack GHSA-rqqr-p8wr-f4rp
7.7
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
7.7 HIGH

Network-reachable endpoint with low complexity; Subscriber login required so PR:L; arbitrary file deletion crosses into core files (S:C) with availability-only impact (A:H), no C/I.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:24 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions.

AnalysisAI

Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-privileged authenticated user (Subscriber, PR:L) delete arbitrary files on the server via path traversal. Because the scope is changed (S:C) and impact is availability-only (A:H), an attacker can remove critical files such as wp-config.php to trigger denial of service or force WordPress into a reinstall/setup state. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber account
Delivery
Authenticate to WordPress
Exploit
Send crafted delete request with ../ traversal
Execution
Plugin deletes arbitrary file
Impact
Critical files removed (DoS / setup state)

Vulnerability AssessmentAI

Exploitation Requires an authenticated session at minimum Subscriber privilege (CVSS PR:L), so the site must permit that account level-most impactful on sites with open self-registration enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H, base 7.7 High) indicates a network-reachable, low-complexity attack needing only minimal authentication and no user interaction, with availability-only impact and a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a JS Help Desk-enabled WordPress site (or uses an existing low-privilege login), then sends a crafted authenticated request to the plugin's file-deletion handler with a traversal payload such as ../../../../wp-config.php. The targeted file is deleted, knocking the site offline or pushing it into an installable state. …
Remediation No vendor-released patch version is identified at time of analysis, so confirm the latest available release via the WordPress plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-1-1-arbitrary-file-deletion-vulnerability) and upgrade to any version above 3.1.1 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the JS Help Desk plugin on all WordPress installations and audit which environments are affected. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-50839 CRITICAL POC
9.3 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He

CVE-2024-43274 CRITICAL
9.8 Nov 01

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Accessing Func

CVE-2024-31273 CRITICAL
9.8 Jun 09

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.3. Rated critical s

CVE-2026-48886 CRITICAL
9.3 Jun 15

SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to

CVE-2022-47151 HIGH
8.6 Apr 17

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He

CVE-2026-32534 HIGH
8.5 Mar 25

JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to exe

CVE-2024-13606 HIGH
7.5 Feb 13

The JS Help Desk - The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information E

CVE-2026-32535 MEDIUM
6.5 Mar 25

JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct obje

CVE-2026-48887 MEDIUM
6.5 Jun 15

Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote atta

CVE-2022-46842 MEDIUM
5.4 Feb 02

Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions. Rated medium severity (CVSS 5.

Share

EUVD-2026-39383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy