Description
Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated insecure direct object references in the JoomSky JS Help Desk plugin versions 3.1.0 and earlier allow an attacker to access or modify support ticket data. The vulnerability stems from missing authorization checks when resolving ticket identifiers, which aligns with CWE‑639. If exploited, this could lead to the disclosure of sensitive customer information or manipulation of ticket records, compromising confidentiality and integrity.

Affected Systems

Both the JoomSky JS Help Desk plugin and the broader WordPress installation that hosts it are impacted. Any WordPress site deploying the plugin up to and including version 3.1.0 is vulnerable. No other plugins or products are mentioned.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating moderate severity. No EPSS score is available, so the current likelihood of exploitation is unknown. The issue is not listed in the CISA KEV catalog. Because the attack is unauthenticated, an attacker only needs to send crafted requests to retrieve or tamper with ticket records directly, making exploitation straightforward for a malicious actor with web access.

Generated by OpenCVE AI on June 26, 2026 at 17:41 UTC.

Remediation

Vendor Solution

Update the WordPress JS Help Desk Plugin to the latest available version (at least 3.1.1).

OpenCVE Recommended Actions

  • Upgrade the WordPress JS Help Desk plugin to version 3.1.1 or later.
  • Audit the plugin code to ensure that all ticket identifiers are protected by proper authorization checks, preventing direct access by unauthenticated users.
  • Configure WordPress permissions and enable logging for ticket access so that any unauthorized attempts can be detected and investigated.

Generated by OpenCVE AI on June 26, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomsky
Joomsky js Help Desk
Wordpress
Wordpress wordpress
Vendors & Products Joomsky
Joomsky js Help Desk
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions.
Title WordPress JS Help Desk plugin <= 3.1.0 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Joomsky Js Help Desk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:31:47.191Z

Reserved: 2026-06-25T08:03:24.124Z

Link: CVE-2026-57652

cve-icon Vulnrichment

Updated: 2026-06-26T15:31:44.647Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:30:06Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key