Plattform
wordpress
Komponente
js-support-ticket
Behoben in
2.9.3
CVE-2025-30878 describes an Arbitrary File Access vulnerability within JoomSky JS Help Desk. This flaw allows attackers to potentially read arbitrary files on the server, leading to sensitive data exposure. The vulnerability impacts versions 0.0.0 through 2.9.2 of JS Help Desk, and a patch is available in version 2.9.3.
An attacker can leverage this path traversal vulnerability to read arbitrary files from the server hosting JS Help Desk. This could include sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the web server and potentially the entire WordPress instance. The impact is particularly severe if the server hosts other sensitive applications or data. This vulnerability shares similarities with other path traversal exploits, where attackers manipulate file paths to bypass security restrictions.
CVE-2025-30878 was publicly disclosed on April 1, 2025. Currently, there are no known public proof-of-concept exploits. The vulnerability's severity is classified as HIGH, indicating a reasonable probability of exploitation if left unaddressed. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the JS Help Desk plugin, particularly those running versions 0.0.0 through 2.9.2, are at risk. Shared hosting environments where users have limited control over server configurations are especially vulnerable, as they may not be able to implement WAF rules or adjust file permissions effectively.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/js-help-desk/*• generic web:
curl -I 'https://example.com/js-help-desk/index.php?file=../../../../etc/passwd' # Check for 200 OK response indicating file accessdisclosure
Exploit-Status
EPSS
0.38% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade JS Help Desk to version 2.9.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include restricting file permissions on the server to limit the attacker's ability to read sensitive files. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious path traversal sequences (e.g., ../). Thoroughly review and harden the server's configuration to minimize the potential impact of a successful exploit.
Actualice el plugin JS Help Desk a la última versión disponible para mitigar la vulnerabilidad de recorrido de ruta. Verifique las notas de la versión para obtener instrucciones específicas de actualización. Considere implementar medidas de seguridad adicionales, como restringir el acceso a archivos sensibles, para reducir el riesgo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30878 is a vulnerability in JS Help Desk allowing attackers to read arbitrary files on the server. It has a HIGH severity rating and affects versions 0.0.0 through 2.9.2.
If you are using JS Help Desk version 0.0.0 through 2.9.2 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade JS Help Desk to version 2.9.3 or later to resolve this vulnerability. Consider implementing WAF rules as an interim measure.
As of the current date, there are no known public exploits or confirmed active exploitation campaigns for CVE-2025-30878.
Refer to the JoomSky website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-30878.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.