WordPress Plugin Vulnerabilities

JS Help Desk – AI-Powered Support & Ticketing System < 3.0.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

Description

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.3 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions.

Affects Plugins

Plugin icon
js-support-ticket
Fixed in 3.0.4

References

CVE
CVE-2026-32535
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/87d684ba-4856-429f-9e4e-baa61c3967e1

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bonds
Verified
No
WPVDB ID
2ea46f9c-504e-4510-a568-a6499e4bf38b

Timeline

Publicly Published
2026-03-23 (about 2 months ago)
Added
2026-04-02 (about 1 month ago)
Last Updated
2026-04-02 (about 1 month ago)

Other

Published
Title
Published
2023-12-29
Title
WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR
Published
2025-04-24
Title
Upsell Funnel Builder for WooCommerce < 3.0.1 - Unauthenticated Order Manipulation
Published
2025-06-19
Title
Download Attachments < 1.3.2 - Unauthenticated Insecure Direct Object Reference
Published
2025-12-17
Title
HUSKY – Products Filter Professional for WooCommerce < 1.3.7.4 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'
Published
2025-11-24
Title
Admin and Customer Messages After Order for WooCommerce: OrderConvo < 15 - Missing Authorization to Unauthenticated User Impersonation in Order Messages