Unauthenticated Code Execution Vulnerability in JS Help Desk WordPress Plugin
CVE-2024-7094

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Js Help Desk – The Ultimate Help Desk & Support Plugin
Vendor: CVE Published:; 13 August 2024

Summary

The JS Help Desk – The Ultimate Help Desk & Support Plugin for WordPress has a significant vulnerability that allows PHP code injection through the 'storeTheme' function. This flaw is attributed to inadequate sanitization of user-input values, which can lead to unauthorized alterations in the style.php file. These weaknesses provide a pathway for unauthenticated attackers to execute arbitrary code on the server. The vulnerability exists in all versions prior to 2.8.6, which partially addressed the code injection risk. Comprehensive patches were further implemented in version 2.8.7, adding necessary authorization and cross-site request forgery protections.

Affected Version(s)

JS Help Desk – The Ultimate Help Desk & Support Plugin * <= 2.8.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/js-support-tic...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 13, 2024
Vulnerability Reserved
Jul 24, 2024

Credit

Connor Billings