Description
The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied `multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection allowing data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the JS Help Desk plugin for WordPress, where the 'storeTickets()' function uses a 'multiformid' parameter directly in an SQL query. Because the supplied value is passed to the esc_sql() routine without enclosing it in quotes, escaping does not protect against payloads lacking quote characters. An attacker who can submit data to this endpoint can inject arbitrary SQL, enabling extraction of sensitive database contents. This is a classic SQL Injection (CWE-89) that compromises data confidentiality.

Affected Systems

All released iterations of the JS Help Desk – AI‑Powered Support & Ticketing System plugin are vulnerable through version 3.0.4 inclusive. The affected product is distributed by rabilal. No higher versions are indicated as impacted, but any instance running the plugin before the 3.0.4 update is at risk.

Risk and Exploitability

The CVSS base score of 7.5 reflects a medium‑to‑high severity level. The EPSS score is not documented, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Because the flaw is exploitable by unauthenticated users who can reach the ticket‑submission interface, the risk is heightened for publicly exposed WordPress sites. Attackers could send malicious payloads in the 'multiformid' field, bypassing basic sanitization and potentially retrieving or manipulating database data.

Generated by OpenCVE AI on March 26, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JS Help Desk plugin to the latest available version, ensuring it is newer than 3.0.4.
  • If an update cannot be applied immediately, completely disable or uninstall the plugin to eliminate the attack surface.
  • When the plugin must remain in use, restrict access to the ticket submission endpoint so that only authenticated users can send requests.
  • Regularly review access logs for suspicious queries and consider deploying an application firewall that filters malformed SQL payloads.

Generated by OpenCVE AI on March 26, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Rabilal
Rabilal js Help Desk – Ai-powered Support & Ticketing System
Wordpress
Wordpress wordpress
Vendors & Products Rabilal
Rabilal js Help Desk – Ai-powered Support & Ticketing System
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied `multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Rabilal Js Help Desk – Ai-powered Support & Ticketing System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:19.181Z

Reserved: 2026-02-14T00:45:44.432Z

Link: CVE-2026-2511

cve-icon Vulnrichment

Updated: 2026-03-26T13:56:46.272Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T14:16:10.017

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-2511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:47Z

Weaknesses