Impact
The vulnerability is an unauthenticated broken access control flaw (CWE-862) in the JS Help Desk WordPress plugin up to version 3.0.9. An attacker who can reach the plugin’s endpoints can perform actions normally reserved for administrators, such as creating, updating, or deleting tickets, potentially exposing confidential data or tampering with business logic. This weakness allows a malicious actor to compromise the integrity and confidentiality of ticketing data.
Affected Systems
The vulnerability affects the Ahmad:JS Help Desk WordPress plugin, specifically versions 3.0.9 and earlier. The plugin is distributed as a WordPress plugin and should be updated to at least version 3.1.0 to remove the flaw.
Risk and Exploitability
With a CVSS score of 6.5 the flaw is considered moderate severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation at this time, and the exploit is not currently listed in the CISA KEV catalog. The attack vector is inferred to be remote access through the plugin’s web interface, requiring no prior authentication. The impact remains local to the WordPress site but could allow a compromised site to leak sensitive ticket information or alter ticket data.
OpenCVE Enrichment