JS Help Desk WordPress Plugin Vulnerable to SQL Injection (CVE-2026-2511)
The JS Help Desk WordPress plugin versions 3.0.4 and earlier are vulnerable to SQL injection via the `multiformid` parameter in the `storeTickets()` function, allowing unauthenticated attackers to extract sensitive information from the database.
The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress, up to and including version 3.0.4, contains a SQL injection vulnerability (CVE-2026-2511). The vulnerability exists within the storeTickets() function, specifically through the multiformid parameter. Due to improper input sanitization, an unauthenticated attacker can inject arbitrary SQL queries by manipulating the multiformid parameter. The esc_sql() function fails to adequately sanitize the input because the result is not enclosed in quotes, rendering it ineffective against payloads lacking quote characters. Exploitation of this vulnerability enables attackers to extract sensitive information directly from the WordPress database. This affects any WordPress installation using a vulnerable version of the JS Help Desk plugin.
Attack Chain
- The attacker identifies a WordPress website using a vulnerable version (<= 3.0.4) of the JS Help Desk plugin.
- The attacker crafts a malicious HTTP request targeting the
storeTickets()function. - The request includes a specially crafted
multiformidparameter containing a SQL injection payload. This payload aims to bypass the inadequateesc_sql()sanitization. - The WordPress server receives the request and passes the unsanitized
multiformidvalue to the SQL query. - The injected SQL code is executed against the WordPress database, allowing the attacker to perform unauthorized database operations.
- The attacker uses the SQL injection to extract sensitive data such as user credentials, API keys, or other confidential information stored in the database tables.
- The extracted data is then exfiltrated by the attacker for malicious purposes.
Impact
Successful exploitation of this SQL injection vulnerability can lead to the complete compromise of the WordPress database. Attackers can steal sensitive information, including user credentials, potentially affecting all users of the website. This could lead to account takeovers, data breaches, and reputational damage. Given the popularity of WordPress, a successful widespread exploit could affect thousands of websites across various sectors. The CVSS v3.1 score of 7.5 indicates a high severity vulnerability with significant potential impact.
Recommendation
- Upgrade the JS Help Desk plugin to a version higher than 3.0.4 to patch CVE-2026-2511.
- Deploy the Sigma rule "Detect SQL Injection Attempts in JS Help Desk Plugin" to your SIEM to detect exploitation attempts.
- Monitor web server logs for suspicious POST requests to the JS Help Desk plugin endpoints with unusual parameters in the
cs-uri-queryfield to identify potential exploitation attempts. - Implement a Web Application Firewall (WAF) rule to filter out malicious SQL injection payloads in the
multiformidparameter.
Detection coverage 2
Detect SQL Injection Attempts in JS Help Desk Plugin
highDetects potential SQL injection attempts targeting the JS Help Desk WordPress plugin by looking for suspicious characters and SQL keywords in the URI query.
Detect SQL Injection via WordPress POST Request
highDetects potential SQL injection attempts by searching for SQL keywords within POST requests to WordPress admin-ajax.php, indicating potential plugin vulnerabilities
Detection queries are available on the platform. Get full rules →