WP-Safety

Freshdesk (official) Security & Risk Analysis

wordpress.org/plugins/freshdesk-support

Quickly embed the Freshdesk help widget, convert WordPress comments to tickets and seamlessly log your WordPress users into your support portal.

900 active installs v2.4.1 PHP + WP 3.4+ Updated Jul 1, 2024
contact-formcustomer-support-softwarefreshdeskhelpdeskknowledge-base
89
A · Safe
CVEs total3
Unpatched0
Last CVEApr 12, 2024
Download
Safety Verdict

Is Freshdesk (official) Safe to Use in 2026?

Generally Safe

Score 89/100

Freshdesk (official) has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Apr 12, 2024Updated 1yr ago
Risk Assessment

The "freshdesk-support" plugin v2.4.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of SQL queries using prepared statements and a significant portion of outputs being properly escaped. The presence of nonce and capability checks also indicates an awareness of security principles. However, critical concerns arise from the static analysis, particularly the presence of one AJAX handler without authentication checks, which represents a direct attack vector. Furthermore, the taint analysis reveals three flows with unsanitized paths, suggesting potential vulnerabilities for data manipulation or injection, although these are not categorized as critical or high in severity.

The plugin's vulnerability history, with three known CVEs including one high and two medium severity, is a significant red flag. The common vulnerability types, Open Redirect and CSRF, are often associated with insecure handling of user input and lack of proper authentication/authorization. The fact that the last vulnerability was as recent as April 2024 suggests ongoing security challenges or a pattern of introducing vulnerabilities. While there are currently no unpatched CVEs, the historical pattern raises concerns about the long-term security maintenance of the plugin. Overall, the plugin has strengths in its implementation of secure coding practices like prepared statements, but the identified unauthenticated entry points and historical vulnerability trends necessitate careful consideration and prompt patching when new issues are discovered.

Key Concerns

  • Unprotected AJAX handler found
  • Taint flows with unsanitized paths
  • History of 3 known CVEs (1 High, 2 Medium)
  • High percentage of SQL queries without prepared statements (13%)
  • Significant percentage of outputs not properly escaped (24%)
Vulnerabilities
3

Freshdesk (official) Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2024-32129medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

Freshdesk (official) <= 2.3.6 - Open Redirect

Apr 12, 2024 Patched in 2.4.0 (22d)
CVE-2015-10102medium · 5.4URL Redirection to Untrusted Site ('Open Redirect')

Freshdesk (official) <= 1.7 - Open Redirect

Apr 17, 2023 Patched in 1.8 (281d)
WF-6a226790-0774-43f6-a476-a2dac7ae153b-freshdesk-supporthigh · 8.8Cross-Site Request Forgery (CSRF)

Freshdesk (official) <= 2.3.6 - Cross-Site Request Forgery

Jun 22, 2022 Patched in 2.4.0 (682d)
Code Analysis
Analyzed Mar 16, 2026

Freshdesk (official) Code Analysis

Dangerous Functions
0
Raw SQL Queries
15
101 prepared
Unescaped Output
29
94 escaped
Nonce Checks
7
Capability Checks
8
File Operations
9
External Requests
2
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

87% prepared116 total queries

Output Escaping

76% escaped123 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

8 flows3 with unsanitized paths
wpoauth_method_destroy (oauth\includes\filters.php:158)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Freshdesk (official) Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_fd_ticket_actionfresh-desk.php:65
WordPress Hooks 35
actioninitfresh-desk.php:46
actionadmin_menufresh-desk.php:48
filtercomment_row_actionsfresh-desk.php:50
filterlogin_redirectfresh-desk.php:53
filterlogin_messagefresh-desk.php:54
actionadmin_noticesfresh-desk.php:56
actioncomment_postfresh-desk.php:64
actionadmin_initfresh-desk.php:161
actionwp_footerfresh-desk.php:501
actionpassword_resetoauth\includes\actions.php:25
actionprofile_updateoauth\includes\actions.php:43
actionwo_set_access_tokenoauth\includes\actions.php:75
actionlogin_initoauth\includes\actions.php:81
actionadmin_post_wpoauth_regenerate_certificatesoauth\includes\actions.php:103
actionshow_user_profileoauth\includes\admin\profile.php:8
actionedit_user_profileoauth\includes\admin\profile.php:9
actionuser_profile_update_errorsoauth\includes\admin\profile.php:56
actionadmin_initoauth\includes\admin-options.php:23
actionadmin_menuoauth\includes\admin-options.php:24
actionwpo_global_cleanupoauth\includes\cron.php:9
filterWO_API_Errorsoauth\includes\filters.php:30
filterwo_endpointsoauth\includes\filters.php:56
filterrest_indexoauth\includes\filters.php:343
actioninitoauth\includes\functions.php:24
actionwo_daily_tasks_hookoauth\includes\functions.php:601
filterwo_developmentoauth\includes\functions.php:607
filterwp_privacy_personal_data_erasersoauth\includes\wo-personal-data-gpdr.php:16
filterrest_authentication_errorsoauth\wp-oauth-main.php:78
filterdetermine_current_useroauth\wp-oauth-main.php:79
actioninitoauth\wp-oauth-main.php:81
actionadmin_initoauth\wp-oauth-main.php:84
actionplugins_loadedoauth\wp-oauth-server.php:25
actionadmin_enqueue_scriptsoauth\wp-oauth-server.php:63
actioninitoauth\wp-oauth-server.php:83
filtertemplate_includeoauth\wp-oauth-server.php:118

Scheduled Events 1

wpo_global_cleanup
Maintenance & Trust

Freshdesk (official) Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedJul 1, 2024
PHP min version
Downloads47K

Community Trust

Rating50/100
Number of ratings8
Active installs900
Alternatives

Freshdesk (official) Alternatives

Support Genix – Helpdesk, AI Chatbot, Knowledge Base & Customer Support Ticketing System

Support Genix – Helpdesk, AI Chatbot, Knowledge Base & Customer Support Ticketing System

support-genix-lite

A
97

Manage customer support with a powerful helpdesk & support ticket system — track customer tickets, resolve, and streamline your support workflow.

1K 3 CVEs
Help Scout

Help Scout

help-scout

A
99

Release 6.5.7 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Add a contact form to your website, or embed Help Scout Be &hellip;

400 1 CVE
HelpPress Knowledge Base

HelpPress Knowledge Base

helppress

A
85

A WordPress knowledge base plugin compatible with almost any theme.

60 No CVEs
MinervaKB Lite

MinervaKB Lite

minerva-knowledge-base-lite

A
85

MinervaKB Lite is a fully responsive knowledge base plugin for WordPress with live search.

50 No CVEs
CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout

CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout

support-x

A
97

Show user tickets from HelpScout, ZenDesk, FreshDesk and Teamwork in wordpress. Users can create new support tickets and reply to old tickets.

40 3 CVEs
Developer Profile

Freshdesk (official) Developer Profile

Freshworks

1 plugin · 900 total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
328 days
View full developer profile
Detection Fingerprints

How We Detect Freshdesk (official)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Freshdesk (official)