{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24959", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:35.464Z", "datePublished": "2026-02-20T15:47:09.159Z", "dateUpdated": "2026-04-28T16:14:51.842Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "js-support-ticket", "product": "JS Help Desk", "vendor": "JoomSky", "versions": [{"changes": [{"at": "3.0.2", "status": "unaffected"}], "lessThanOrEqual": "3.0.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:57.631Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.<p>This issue affects JS Help Desk: from n/a through <= 3.0.1.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.842Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-0-1-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress JS Help Desk plugin <= 3.0.1 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T17:56:00.741515Z", "id": "CVE-2026-24959", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:51:51.579Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24959", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T17:56:00.741515Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T17:55:06.483Z"}}], "cna": {"title": "WordPress JS Help Desk plugin <= 3.0.1 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "JoomSky", "product": "JS Help Desk", "versions": [{"status": "affected", "changes": [{"at": "3.0.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.0.1"}], "packageName": "js-support-ticket", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:57.631Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-0-1-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.<p>This issue affects JS Help Desk: from n/a through <= 3.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.842Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24959", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:51.842Z", "dateReserved": "2026-01-28T09:50:35.464Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:47:09.159Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') en JoomSky JS Help Desk js-support-ticket permite Inyecci\u00f3n SQL Ciega. Este problema afecta a JS Help Desk: desde n/a hasta &lt;= 3.0.1."}], "id": "CVE-2026-24959", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:39.950", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-0-1-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "JS Help Desk", "source": "cna", "vendor": "JoomSky"}, "product": "js_help_desk", "vendor": "joomsky"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:57:14.139161+00:00", "value": {"mitigation_remediation": ["Upgrade the JoomSky JS Help Desk plugin to version 3.0.2 or later, which contains the necessary input sanitization.", "If an upgrade is not immediately possible, disable the plugin or remove it from the site until the patch can be applied.", "Deploy a web application firewall or equivalent input filtering to block common SQL injection payloads against the plugin\u2019s endpoints."], "summary": {"action": "Immediate Patch", "impact": "Blind SQL Injection leading to database compromise"}, "threat_synthesis": {"affected_systems": "WordPress sites running the JoomSky JS Help Desk plugin version 3.0.1 or earlier are affected. The plugin is distributed under the JoomSky brand and is integrated into WordPress sites via the js-support-ticket installation.", "description_and_impact": "Improperly sanitized input in the JoomSky JS Help Desk plugin allows blind SQL injection. The vulnerability can let an attacker extract or modify sensitive data stored in the plugin\u2019s database, potentially including user credentials and site content. The failure to neutralize special characters in SQL statements is a classic instance of CWE\u201189, directly exposing the application to adversarial data manipulation.", "risk_and_exploitability": "The CVSS score of 8.5 classifies this as a high\u2011severity flaw, and an EPSS score below 1% indicates that the probability of exploitation is currently low. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is an external web request \u2013 an attacker can target the plugin\u2019s input handling over HTTP to trigger the blind SQL injection. The absence of an error message means the attack would be conducted by inferring data from response patterns, requiring a certain level of skill but providing significant confidentiality and integrity impact if successful."}}}}, "created": "2026-02-23T14:35:49.051854+00:00", "updated": "2026-04-16T00:00:14.157199+00:00", "vendors": ["joomsky", "joomsky$PRODUCT$js_help_desk", "wordpress", "wordpress$PRODUCT$wordpress"]}