Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.3.
Published: 2026-03-25
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data confidentiality breach
Action: Patch plugin
AI Analysis

Impact

Improper neutralization of special elements used in an SQL command (CWE‑89) is present in the JoomSky JS Help Desk WordPress plugin, allowing an attacker to gain blind SQL injection capability. The flaw lets an adversary inject malicious SQL fragments into queries without receiving error messages, enabling the unauthorized extraction or alteration of data stored in the site’s database. Exposure could include ticket contents, customer details, or administrative information managed by the plugin.

Affected Systems

The vulnerability affects all installations of JoomSky JS Help Desk running version 3.0.3 or earlier on WordPress sites. Any site that has the plugin enabled, particularly where the ticket submission form or other user‑controlled input is accessible, is at risk.

Risk and Exploitability

The CVSS base score of 8.5 indicates high severity. No EPSS score is publicly available, and the flaw is not listed in the CISA KEV catalog; however, the absence of a known exploit does not reduce the threat. The likely attack vector is remote exploitation via crafted HTTP requests that trigger the vulnerable SQL queries, so an attacker with network access to the site can take advantage of the flaw without requiring privileged credentials or local file tampering.

Generated by OpenCVE AI on March 26, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available version of the JoomSky JS Help Desk plugin, which removes the injection vulnerability
  • If an upgrade is not immediately possible, restrict external access to the plugin’s input forms and verify that any user input is properly sanitized or that prepared statements are used
  • Disable the plugin on non‑production or test environments until a patch is applied
  • Follow general WordPress hardening practices such as limiting user roles, protecting the database, and monitoring for abnormal query activity

Generated by OpenCVE AI on March 26, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomsky
Joomsky js Help Desk
Wordpress
Wordpress wordpress
Vendors & Products Joomsky
Joomsky js Help Desk
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.3.
Title WordPress JS Help Desk plugin <= 3.0.3 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Joomsky Js Help Desk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:28:30.189Z

Reserved: 2026-03-12T11:12:24.776Z

Link: CVE-2026-32534

cve-icon Vulnrichment

Updated: 2026-03-25T20:26:44.570Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:07.010

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:18Z

Weaknesses