JS Help Desk – The Ultimate Help Desk & Support Plugin <= 2.8.8 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

Vulnerability

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8. The vulnerability exists because the plugin stores support ticket file attachments insecurely in the /wp-content/uploads/jssupportticketdata directory with no access control mechanisms, as seen in the upload path handling code in the jssupportticket_upload_dir function [1]. The directory is publicly accessible, allowing any unauthenticated user to browse and download files stored there.

Exploitation

An unauthenticated attacker can exploit this vulnerability by directly accessing the /wp-content/uploads/jssupportticketdata directory via a web browser or automated script. No authentication or user interaction is required. The attacker simply needs to know the URL path to the directory, and the server will list the contents if directory indexing is enabled, or the attacker may guess filenames. The uploaded files include attachments that customers or agents have uploaded to support tickets, which could contain sensitive information.

Impact

Successful exploitation leads to unauthorized disclosure of sensitive data contained in support ticket attachments. This data can include personally identifiable information (PII), financial details, system logs, or other confidential documents exchanged during support interactions. The attacker gains no code execution, but information exposure can lead to further targeted attacks or privacy breaches.

Mitigation

The vulnerability is present in all versions up to 2.8.8. According to the plugin repository [2], version 3.1.0 has been released with updates and likely contains a fix, as it adds new AI features and version updates. Users are strongly advised to update to the latest version (3.1.0 as of the reference). There is no known workaround; the only mitigation is to remove or restrict directory listing on the server if immediate patching is not possible, but updating the plugin is the recommended course of action.