CVE-2026-2511
Received Received - Intake
SQL Injection in JS Help Desk Plugin Allows Data Extraction

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: Wordfence

Description
The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied `multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2511
EUVD
EUVD-2026-16177
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
js_help_desk js_help_desk to 3.0.4 (inc)
js_support_ticket js_support_ticket to 3.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress has a SQL Injection vulnerability in all versions up to and including 3.0.4. This vulnerability exists in the storeTickets() function via the multiformid parameter. The issue arises because the user-supplied multiformid value is passed to the esc_sql() function without being enclosed in quotes in the SQL query. This improper escaping allows attackers to inject additional SQL queries if their payloads do not contain quote characters.

As a result, unauthenticated attackers can append malicious SQL commands to existing queries, potentially extracting sensitive information from the database.

Impact Analysis

This vulnerability allows unauthenticated attackers to perform SQL Injection attacks, which can lead to unauthorized access to sensitive data stored in the database.

  • Extraction of sensitive information from the database.
  • Potential compromise of data confidentiality.
  • Since the vulnerability does not affect integrity or availability directly (CVSS indicates no impact on integrity or availability), the main risk is data exposure.
Detection Guidance

This vulnerability involves SQL Injection via the `multiformid` parameter in the `storeTickets()` function of the JS Help Desk WordPress plugin versions up to 3.0.4. Detection can focus on monitoring HTTP requests targeting the vulnerable plugin endpoints that include the `multiformid` parameter.

You can detect potential exploitation attempts by inspecting web server logs or using network monitoring tools to look for suspicious requests containing SQL injection payloads in the `multiformid` parameter.

Example commands to detect such attempts might include:

  • Using grep on web server logs to find requests with the `multiformid` parameter: `grep -i 'multiformid=' /var/log/apache2/access.log`
  • Searching for common SQL injection patterns in the `multiformid` parameter, such as SQL keywords or comment characters: `grep -Ei 'multiformid=.*(union|select|--|;|or|and)' /var/log/apache2/access.log`
  • Using network monitoring tools like Wireshark or Zeek to filter HTTP requests containing suspicious `multiformid` values.

Note that the vulnerability arises because the `multiformid` value is passed to `esc_sql()` without quotes, making escaping ineffective for payloads without quotes. Therefore, payloads might include numeric or unquoted SQL fragments.

Mitigation Strategies

The immediate and most effective mitigation step is to update the JS Help Desk plugin to version 3.0.5 or later, which includes a comprehensive security update addressing this vulnerability.

This update involves a thorough security overhaul with new code and assets that fix the SQL injection issue by properly handling the `multiformid` parameter.

If updating immediately is not possible, consider temporarily disabling the vulnerable plugin or restricting access to the affected functionality until the update can be applied.

Additionally, monitor your logs for suspicious activity targeting the `multiformid` parameter and apply web application firewall (WAF) rules to block SQL injection attempts.

Compliance Impact

The vulnerability in the JS Help Desk – AI-Powered Support & Ticketing System plugin allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized disclosure.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive user or customer data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart