JS Help Desk < 2.9.3 – Unauthenticated Arbitrary File Deletion | CVE 2025-30878 | Plugin Vulnerabilities

Description

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

js-support-ticket

Fixed in 2.9.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/db57971b-57d8-4740-92e0-477a4368bd9b

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

LVT-tholv2k

Verified

No

WPVDB ID

ec201f67-c5bb-4112-8bea-ca839b129f17

Timeline

Publicly Published

2025-03-27 (about 1 year ago)

Added

2025-04-02 (about 1 year ago)

Last Updated

2025-04-02 (about 1 year ago)

Other

Published

Title

Published

2024-06-13

Title

Folders Pro < 3.0.3 - Authenticated(Author+) Arbitrary File Upload via handle_folders_file_upload

Published

2014-12-02

Title

Wordpress CodeArt Google MP3 Player - File Disclosure

Published

2025-03-19

Title

Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.25 - Authenticated (Contributor+) Local File Inclusion

Published

2014-08-01

Title

Cross RSS 1.7 - proxy.php rss Parameter Local File Inclusion

Published

2024-04-18

Title

tagDiv Composer < 4.9 - Authenticated (Contributor+) Local File Inclusion via Shortcode