Description
Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated SQL Injection is present in versions 3.0.9 and earlier of the WordPress JS Help Desk plugin. The vulnerability arises from the plugin’s handling of user data in database queries, enabling attackers to inject unsanitized SQL code. This can lead to unauthorized access to the database.

Affected Systems

Ahmad:JS Help Desk is a WordPress plugin, with affected releases up to and including 3.0.9. Any WordPress site that has installed this plugin version (or older) is vulnerable. No further version granularity is listed in the CNA data.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, whereas the EPSS score of <1% suggests a low current exploitation probability. The flaw is exploitable by unauthenticated users via the web interface and is not listed in the CISA KEV catalog. The vendor recommends upgrading to version 3.1.0 or newer.

Generated by OpenCVE AI on June 18, 2026 at 00:35 UTC.

Remediation

Vendor Solution

Update the WordPress JS Help Desk Plugin to the latest available version (at least 3.1.0).


OpenCVE Recommended Actions

  • Update the WordPress JS Help Desk plugin to version 3.1.0 or later.
  • Remove or deactivate any remaining copies of the older plugin to eliminate residual attack surface.
  • Restrict the database user role used by the application to the minimal permissions required, and monitor for anomalous query activity.

Generated by OpenCVE AI on June 18, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ahmad
Ahmad js Help Desk
Wordpress
Wordpress wordpress
Vendors & Products Ahmad
Ahmad js Help Desk
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.
Title WordPress JS Help Desk plugin <= 3.0.9 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Ahmad Js Help Desk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:22:26.081Z

Reserved: 2026-05-25T22:37:16.413Z

Link: CVE-2026-48886

cve-icon Vulnrichment

Updated: 2026-06-16T01:22:21.478Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:17.853

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:53Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')