CVE-2026-48886

Vulnerability

The JS Help Desk plugin for WordPress, versions up to and including 3.0.9, contains an unauthenticated SQL injection vulnerability. The flaw exists in an unspecified endpoint, allowing an attacker to inject arbitrary SQL queries without any prior authentication. This vulnerability is classified as critical and is expected to be exploited in mass campaigns [1].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication or user interaction. By sending specially crafted HTTP requests to the vulnerable plugin, the attacker can inject SQL commands. The reference indicates that this vulnerability is highly dangerous and likely to be used in automated attacks targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows a malicious actor to directly interact with the underlying database. This can lead to unauthorized access to sensitive data, including but not limited to user credentials, personal information, and other stored data. The attacker may also be able to modify or delete data, potentially compromising the entire site [1].

Mitigation

The vulnerability is fixed in version 3.1.0 of the JS Help Desk plugin. Users are advised to update to 3.1.0 or later immediately. Patchstack has issued a mitigation rule to block attacks until the update is applied. For Patchstack users, auto-update can be enabled for vulnerable plugins. No other workarounds are mentioned in the available reference [1].