CVE-2026-48887

Vulnerability

The vulnerability is an unauthenticated broken access control issue in the JS Help Desk plugin for WordPress versions up to 3.0.9. It stems from missing authorization, authentication, or nonce token checks in a function, allowing unprivileged users to execute actions normally restricted to higher privilege levels [1].

Exploitation

An attacker can exploit this vulnerability without any authentication by sending crafted HTTP requests to the vulnerable endpoint. The missing access control enables the attacker to perform privileged actions. This vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform higher privileged actions, potentially leading to unauthorized data disclosure, modification, or other compromise of the WordPress site. The exact impact depends on the specific function affected by the broken access control [1].

Mitigation

The vulnerability is fixed in version 3.1.0 or later. Users are advised to update immediately. Patchstack has issued a mitigation rule to block attacks until the update is applied. If unable to update, users should contact their hosting provider or web developer for assistance [1].