JS Help Desk – Best Help Desk & Support Plugin < 2.8.8 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2024-51670 | Plugin Vulnerabilities

Description

The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

js-support-ticket

Fixed in 2.8.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/da2dd641-6f98-4258-a758-2bfc831b3898

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

casol

Verified

No

WPVDB ID

2efb2628-1cda-4137-96e1-7f90da4dd55f

Timeline

Publicly Published

2024-11-01 (about 1 year ago)

Added

2024-11-06 (about 1 year ago)

Last Updated

2024-11-06 (about 1 year ago)

Other

Published

Title

Published

2014-12-15

Title

WP Construction Mode <= 1.91 - Cross-Site Scripting (XSS)

Published

2024-05-23

Title

Custom Fonts – Host Your Fonts Locally < 2.1.5 - Author+ Stored XSS

Published

2024-01-30

Title

Persian Fonts <= 1.6 - Admin+ Stored XSS

Published

2024-11-27

Title

Kudos Donations – Easy donations and payments with Mollie < 3.3.0 - Reflected Cross-Site Scripting via 'add_query_arg'

Published

2025-05-07

Title

aBlocks < 1.9.3 - Contributor+ Stored XSS