CVE-2026-48886: WordPress JS Help Desk plugin <= 3.0.9 - SQL Injection vulnerability
Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an unauthenticated SQL injection vulnerability in the JS Help Desk WordPress plugin, versions 3.0.9 and earlier. It is reachable over the network with no authentication required and no user interaction needed to trigger the flaw. Successful exploitation gives an attacker read access to the underlying database and can disrupt service availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including the Patchstack advisory within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the JS Help Desk plugin. Any image carrying an affected version of the plugin is flagged automatically.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL using the published CVSS v3.1 vector and weights it against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within the customer's organization based on policy configuration.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that time.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no prior foothold on the host is needed.
- AuthenticationNot required
No account or session token is required; the vulnerable endpoint accepts unauthenticated requests.
- Victim interactionNot required
The attacker can trigger the injection directly with no action required from any user or administrator.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or specific memory layout are required.
Blast Radius
- An attacker can read arbitrary rows from the WordPress database, including stored user credentials, session tokens, and customer support ticket contents.
- Because the scope is changed (S:C in the CVSS vector), the impact can extend beyond the plugin itself to other data stored in the shared database instance.
- Availability is partially impaired; a crafted query can degrade or crash database-driven functionality on the affected site.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged at CRITICAL severity and surfaces immediately in the findings queue for any scanned image that bundles JS Help Desk 3.0.9 or earlier. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle. Where compliance policy permits, compensating controls can be applied in the interim: network-policy rules that restrict public access to affected WordPress endpoints, egress filtering to limit database exposure, and feature-flag or plugin-deactivation guidance surfaced directly in the finding detail. The moment an upstream fix version is published, a patched-image rebuild becomes available; for customers who opt into auto-remediation, the rebuild, regression test run, and PR opened against affected workloads follow automatically.
- Ahmad / JS Help Desk≤ 3.0.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L