CVE-2026-2511 HIGH

CVE-2026-2511: JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter

Vendor Rabilal
Product JS Help Desk – AI-Powered Support & Ticketing System
Weakness CWE-89 · SQLi
Published March 26, 2026
Last update April 8, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied `multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Explanation of Vulnerability in Simple Terms

02Summary

JS Help Desk contains a SQL injection vulnerability in versions up to 3.0.4. An attacker can query the database directly without authentication to read sensitive data. The vulnerability requires only network access and no user interaction. Update to a version newer than 3.0.4 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the database without logging in.

Potential impact on your site

04Site Impact

Attackers can extract customer data, ticket information, and other sensitive records from your help desk database.

Conditions required to exploit

05Prerequisites

Network access to the affected site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 26, 2026 CVE published
April 8, 2026 Record updated