PT-2026-28342 · WordPress · Js Help Desk – Ai-Powered Support & Ticketing System
Nabil Irawan
·
Published
2026-03-26
·
Updated
2026-03-29
·
CVE-2026-2511
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress versions prior to 3.0.5
Description
The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is susceptible to SQL Injection through the
multiformid parameter within the storeTickets() function. The multiformid value, supplied by the user, is passed to esc sql() without proper quoting in the SQL query, making the escaping ineffective against payloads lacking quote characters. This allows unauthenticated attackers to inject additional SQL queries into existing queries, potentially extracting sensitive information from the database.Recommendations
Update the JS Help Desk – AI-Powered Support & Ticketing System plugin to version 3.0.5 or later.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Js Help Desk – Ai-Powered Support & Ticketing System