Description
Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions.
Published: 2026-06-25
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JS Help Desk plugin for WordPress exposes an arbitrary file deletion flaw that allows any subscriber to delete files on the server. This vulnerability is rooted in improper access control (CWE‑22) and enables a privileged user to remove critical configuration or content files, potentially disrupting website operation or compromising site data. The deletion capability can lead to loss of functionality, data loss, and may serve as a foothold for further attacks if the removed files enable code execution.

Affected Systems

The flaw affects the Ahmad:JS Help Desk WordPress plugin, with all releases up to and including version 3.1.1 vulnerable. Sites running those versions are at risk unless the plugin is upgraded to 3.1.2 or a later, patched version.

Risk and Exploitability

With a CVSS score of 7.7, the vulnerability carries high severity. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog, but its inherent high severity and the fact that it can be triggered by any authenticated subscriber make it a significant risk. Attackers with subscriber access can delete arbitrary files, compromising site stability and data integrity. There are no publicly available mitigations beyond updating the plugin, so timely patching is essential.

Generated by OpenCVE AI on June 25, 2026 at 15:44 UTC.

Remediation

Vendor Solution

Update the WordPress JS Help Desk Plugin to the latest available version (at least 3.1.2).

OpenCVE Recommended Actions

  • Update the JS Help Desk plugin to version 3.1.2 or later.
  • Review the list of subscriber accounts and remove or demote any that no longer require file deletion privileges.
  • Ensure file system permissions for the WordPress installation restrict write access to only those directories necessary for site operation.

Generated by OpenCVE AI on June 25, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions.
Title WordPress JS Help Desk plugin <= 3.1.1 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:35:04.703Z

Reserved: 2026-06-18T14:38:04.420Z

Link: CVE-2026-56054

cve-icon Vulnrichment

Updated: 2026-06-25T14:34:32.379Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T15:45:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')