CVE-2024-7094

Name of the Vulnerable Software and Affected Versions The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress versions up to, and including, 2.8.6

Description The issue is related to incorrect code generation management in the plugin, allowing remote attackers to execute arbitrary PHP code due to a lack of sanitization on user-supplied values and missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server via the storeTheme function, which replaces values in the style.php file.

Recommendations For versions up to, and including, 2.8.6, update to version 2.8.7 to fully patch the issue, which includes resolving the code injection issue and adding missing authorization and cross-site request forgery protection. As a temporary workaround, consider disabling the storeTheme function until a patch is available.