Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Network-reachable endpoint with low complexity; Subscriber login required so PR:L; arbitrary file deletion crosses into core files (S:C) with availability-only impact (A:H), no C/I.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions.
AnalysisAI
Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-privileged authenticated user (Subscriber, PR:L) delete arbitrary files on the server via path traversal. Because the scope is changed (S:C) and impact is availability-only (A:H), an attacker can remove critical files such as wp-config.php to trigger denial of service or force WordPress into a reinstall/setup state. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated session at minimum Subscriber privilege (CVSS PR:L), so the site must permit that account level-most impactful on sites with open self-registration enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H, base 7.7 High) indicates a network-reachable, low-complexity attack needing only minimal authentication and no user interaction, with availability-only impact and a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber account on a JS Help Desk-enabled WordPress site (or uses an existing low-privilege login), then sends a crafted authenticated request to the plugin's file-deletion handler with a traversal payload such as ../../../../wp-config.php. The targeted file is deleted, knocking the site offline or pushing it into an installable state. … |
| Remediation | No vendor-released patch version is identified at time of analysis, so confirm the latest available release via the WordPress plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-1-1-arbitrary-file-deletion-vulnerability) and upgrade to any version above 3.1.1 once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable the JS Help Desk plugin on all WordPress installations and audit which environments are affected. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Js Help Desk
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He
Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Accessing Func
Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.3. Rated critical s
SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS He
JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to exe
The JS Help Desk - The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information E
JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct obje
Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote atta
Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions. Rated medium severity (CVSS 5.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39383
GHSA-rqqr-p8wr-f4rp