Platform
wordpress
Component
js-support-ticket
Fixed in
2.9.3
CVE-2025-30878 describes an Arbitrary File Access vulnerability within JoomSky JS Help Desk. This flaw allows attackers to potentially read arbitrary files on the server, leading to sensitive data exposure. The vulnerability impacts versions 0.0.0 through 2.9.2 of JS Help Desk, and a patch is available in version 2.9.3.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files outside of the intended directory. Successful exploitation could lead to the disclosure of configuration files, source code, database credentials, or other sensitive information. Depending on the files accessible, this could enable further compromise of the WordPress instance, including potential remote code execution if sensitive scripts are exposed. The impact is particularly severe if the server hosts critical business data or handles sensitive user information.
CVE-2025-30878 was publicly disclosed on April 1, 2025. There are currently no known public proof-of-concept exploits. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade JS Help Desk to version 2.9.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Review file permissions to ensure that the web server user has minimal necessary access to files. Monitor access logs for suspicious file access attempts, particularly those involving directory traversal patterns. After upgrade, confirm by attempting to access a restricted file via the vulnerable endpoint and verifying that access is denied.
Update the JS Help Desk plugin to the latest available version to mitigate the path traversal vulnerability. Check the release notes for specific upgrade instructions. Consider implementing additional security measures, such as restricting access to sensitive files, to reduce the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30878 is a vulnerability in JS Help Desk allowing attackers to read arbitrary files on the server. It has a HIGH severity rating and affects versions 0.0.0 through 2.9.2.
If you are using JS Help Desk version 0.0.0 through 2.9.2 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade JS Help Desk to version 2.9.3 or later to resolve this vulnerability. Consider implementing WAF rules as an interim measure.
As of the current date, there are no known public exploits or confirmed active exploitation campaigns for CVE-2025-30878.
Refer to the JoomSky website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-30878.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.