CVE-2026-24959

Vulnerability

Overview

The JS Help Desk plugin for WordPress (js-support-ticket) versions up to and including 3.0.1 contain a blind SQL injection vulnerability classified as Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). This flaw enables blind SQL injection attacks, where an attacker can inject malicious SQL queries through user-supplied input that is not properly sanitized before being used in database queries [1].

Exploitation

Details

The vulnerability is exploitable without authentication, making it accessible to any remote attacker. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1]. The attack surface is broad because the plugin is widely deployed on many sites.

Impact

Successful exploitation allows an attacker to directly interact with the underlying database. This could lead to data theft, including sensitive information such as user credentials, personal data, or other stored content. The CVSS v3 score of 8.5 (High) reflects the severe potential for confidentiality impact [1].

Mitigation

The vendor has released version 3.0.2 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule available to block attacks until the patch is applied [1].