What the vulnerability does
01Description
The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied `multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Explanation of Vulnerability in Simple Terms
02Summary
JS Help Desk contains a SQL injection vulnerability in versions up to 3.0.4. An attacker can query the database directly without authentication to read sensitive data. The vulnerability requires only network access and no user interaction. Update to a version newer than 3.0.4 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the database without logging in.
Potential impact on your site
04Site Impact
Attackers can extract customer data, ticket information, and other sensitive records from your help desk database.
Conditions required to exploit
05Prerequisites
Network access to the affected site; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 26, 2026
CVE published
April 8, 2026
Record updated