WordPress JS Help Desk plugin <= 2.8.3 - Broken Access Control vulnerability

Vulnerability

A missing authorization vulnerability exists in the JS Help Desk – Best Help Desk & Support Plugin for WordPress (versions from n/a through 2.8.3) [1]. The plugin fails to properly verify user capabilities when processing certain AJAX requests related to ticket and note management, allowing unauthenticated access to functions that should require agent-level permissions.

Exploitation

An unauthenticated attacker with network access to a WordPress site running the vulnerable plugin can exploit this by sending crafted HTTP requests to the plugin's AJAX endpoints without any authentication token or session [1]. No user interaction is required, and the attack does not rely on any special configuration beyond the default installation of the vulnerable plugin version.

Impact

Successful exploitation allows an attacker to read, create, modify, or delete support tickets and internal agent notes [1]. This can lead to disclosure of sensitive customer information (including email addresses and support histories), unauthorized modification of ticket data, and potential privilege escalation if administrative actions are exposed through the same missing authorization checks. The attacker gains the ability to impersonate support agents or administrators within the ticket system.

Mitigation

The fixed version is 2.8.4, released on 2024-06-08 [1]. Sites running version 2.8.3 or earlier should update immediately to the latest version (3.1.0 as of the reference). If immediate update is not possible, administrators should review and restrict access to the plugin's AJAX endpoints via Web Application Firewall (WAF) rules or disable the plugin until patching can be applied. No workaround is provided in the available references.