WordPress JS Help Desk – The Ultimate Help Desk plugin <= 2.8.6 - Broken Access Control vulnerability

Vulnerability

The JS Help Desk – Best Help Desk & Support Plugin for WordPress versions from n/a through 2.8.6 contain a missing authorization vulnerability (CWE-862). The plugin fails to properly constrain access to certain administrative or privileged functions via Access Control Lists (ACLs), allowing functionality intended for authorized users to be reachable by unauthenticated visitors. The official description confirms that the issue affects all versions up to and including 2.8.6 [1].

Exploitation

An attacker with no prior authentication or any special privileges can exploit this weakness by directly requesting the vulnerable endpoints or actions that should have been protected by ACL checks. As the vulnerability is categorized as missing authorization (not requiring a specific privilege escalation chain), the exploitation likely involves crafting HTTP requests to administrative AJAX handlers, REST endpoints, or other plugin-specific entry points that verify a capability or nonce before performing sensitive operations [1]. User interaction is not required.

Impact

Successful exploitation allows an attacker to access functionality not properly constrained by ACLs. The exact impact depends on which unconstrained functions exist; typical outcomes include reading or modifying support tickets, accessing private customer information, altering plugin settings, or performing other privileged actions without proper authorization. This can lead to information disclosure (including sensitive data from support tickets) and partial loss of integrity. The vulnerability is rated as missing authorization, so the attacker gains the permissions of the misconfigured endpoint rather than a full admin account [1].

Mitigation

As of the available information, the vulnerability exists in versions up to 2.8.6 and no patched version has been confirmed in the references. Users should update to version 3.1.0 (or any release later than 2.8.6) once it becomes available, as the plugin's latest version (3.1.0) may contain the fix. No official CISA KEV listing was identified. Site administrators should review plugin settings, restrict any sensitive endpoints via a web application firewall, and monitor for updates from the plugin vendor [1].