Skip to main content

Js Help Desk

11 CVEs product

Monthly

CVE-2026-56054 HIGH This Week

Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-privileged authenticated user (Subscriber, PR:L) delete arbitrary files on the server via path traversal. Because the scope is changed (S:C) and impact is availability-only (A:H), an attacker can remove critical files such as wp-config.php to trigger denial of service or force WordPress into a reinstall/setup state. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; it was disclosed through Patchstack.

Path Traversal Js Help Desk
NVD VulDB
CVSS 3.1
7.7
EPSS
0.4%
CVE-2026-48887 MEDIUM This Month

Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote attackers to perform unauthorized actions against the help desk system, impacting both integrity and availability. The flaw, rooted in missing authorization checks (CWE-862), allows network-accessible exploitation with no credentials, no user interaction, and low attack complexity. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial exploitation profile warrants prompt remediation on any internet-exposed WordPress deployment.

Authentication Bypass Js Help Desk
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48886 CRITICAL Act Now

SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to inject arbitrary SQL into backend database queries. The flaw was disclosed via Patchstack and carries a CVSS 9.3 with scope change, meaning successful exploitation can read database contents beyond the plugin's own data. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Js Help Desk
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-32535 MEDIUM This Month

JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct object references (IDOR) and incorrectly configured access control security levels. An attacker with minimal or no privileges can exploit user-controlled keys in API requests or direct object references to access, modify, or view unauthorized help desk tickets, user data, and support resources. While no CVSS score is currently assigned and KEV/EPSS data are unavailable, the vulnerability has been publicly reported by Patchstack with reference documentation available.

Authentication Bypass Js Help Desk
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32534 HIGH This Week

JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects the JS Help Desk plugin (identified via CPE cpe:2.3:a:joomsky:js_help_desk) and was reported by Patchstack. While no CVSS score or EPSS data is currently available, the blind SQL injection classification (CWE-89) indicates a serious data exfiltration and potential privilege escalation risk; however, the lack of CVE metadata and KEV designation suggests this may be a newer or less widely exploited vulnerability pending full disclosure and vendor patch release.

SQLi Js Help Desk
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2024-13606 HIGH This Week

The JS Help Desk - The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Js Help Desk
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-43274 CRITICAL Act Now

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Accessing Functionality Not Properly Constrained by ACLs.8.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Js Help Desk
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-31273 CRITICAL Act Now

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Js Help Desk
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2022-47151 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.7.1. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Js Help Desk
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2023-50839 CRITICAL POC THREAT Emergency

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.3%.

SQLi Js Help Desk
NVD
CVSS 3.1
9.3
EPSS
16.3%
CVE-2022-46842 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Js Help Desk
NVD
CVSS 3.1
5.4
EPSS
0.1%
EPSS 0% CVSS 7.7
HIGH This Week

Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-privileged authenticated user (Subscriber, PR:L) delete arbitrary files on the server via path traversal. Because the scope is changed (S:C) and impact is availability-only (A:H), an attacker can remove critical files such as wp-config.php to trigger denial of service or force WordPress into a reinstall/setup state. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; it was disclosed through Patchstack.

Path Traversal Js Help Desk
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote attackers to perform unauthorized actions against the help desk system, impacting both integrity and availability. The flaw, rooted in missing authorization checks (CWE-862), allows network-accessible exploitation with no credentials, no user interaction, and low attack complexity. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial exploitation profile warrants prompt remediation on any internet-exposed WordPress deployment.

Authentication Bypass Js Help Desk
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to inject arbitrary SQL into backend database queries. The flaw was disclosed via Patchstack and carries a CVSS 9.3 with scope change, meaning successful exploitation can read database contents beyond the plugin's own data. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Js Help Desk
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct object references (IDOR) and incorrectly configured access control security levels. An attacker with minimal or no privileges can exploit user-controlled keys in API requests or direct object references to access, modify, or view unauthorized help desk tickets, user data, and support resources. While no CVSS score is currently assigned and KEV/EPSS data are unavailable, the vulnerability has been publicly reported by Patchstack with reference documentation available.

Authentication Bypass Js Help Desk
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects the JS Help Desk plugin (identified via CPE cpe:2.3:a:joomsky:js_help_desk) and was reported by Patchstack. While no CVSS score or EPSS data is currently available, the blind SQL injection classification (CWE-89) indicates a serious data exfiltration and potential privilege escalation risk; however, the lack of CVE metadata and KEV designation suggests this may be a newer or less widely exploited vulnerability pending full disclosure and vendor patch release.

SQLi Js Help Desk
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

The JS Help Desk - The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Js Help Desk
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin allows Accessing Functionality Not Properly Constrained by ACLs.8.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Js Help Desk
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Missing Authorization vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Js Help Desk
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.7.1. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Js Help Desk
NVD
EPSS 16% CVSS 9.3
CRITICAL POC THREAT Emergency

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.8.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.3%.

SQLi Js Help Desk
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Js Help Desk
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy