{
“analysis”: “Atomic Edge analysis of CVE-2026-48886:nnThe JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress versions up to and including 3.0.9 contains multiple unauthenticated SQL injection vulnerabilities. Atomic Edge research identified numerous instances throughout the plugin where user-supplied integer parameters were passed to SQL queries after only using esc_sql() for escaping, without proper type validation or casting to integers. This allows unauthenticated attackers to inject arbitrary SQL commands into database queries, potentially extracting sensitive information or modifying database contents.nnRoot Cause:nnThe root cause is improper handling of numeric parameters in SQL queries across multiple files in the plugin. The plugin uses esc_sql() (WordPress’s SQL escaping function) on parameters that should be integers, but esc_sql() only escapes string literals — it does not validate that the input is numeric. When a parameter like `$jsst_fieldfor`, `$jsst_multiformid`, `$jsst_ticketid`, `$jsst_uid`, `$jsst_userid`, `$jsst_id`, `$jsst_departmentid`, or `$jsst_downloadid` is concatenated directly into a SQL query after esc_sql(), an attacker can provide a string containing SQL injection payloads instead of an integer. The diff shows over 70 instances where `esc_sql()` was replaced with `intval()` across files including customfields.php, upload.php, user.php, department/model.php, attachment/model.php, email/model.php, and others. The vulnerable parameters flow from AJAX requests, form submissions, and direct URL parameters into functions like `getCustomFieldsByFieldFor`, `getTicketAttachment`, `deleteUserdata`, `getDepartmentById`, `getSignatureByID`, and many more query-building methods.nnExploitation:nnAn unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to WordPress AJAX handlers or directly to plugin PHP files. For example, the `getCustomFieldsByFieldFor` method in `customfields.php` accepts `$jsst_fieldfor` and `$jsst_multiformid` parameters that can be supplied via POST/GET requests. By sending a request such as `POST /wp-admin/admin-ajax.php` with `action=jssupportticket_getcustomfields` and `fieldfor=1 UNION SELECT …`, the attacker can inject SQL. Similarly, the `getTicketAttachment` method in `attachment/model.php` accepts a ticket ID parameter that flows into the query `WHERE ticketid = ” . esc_sql($jsst_id)`. An attacker can craft a request to `/wp-admin/admin-ajax.php?action=jssupportticket_getattachment&id=1 UNION SELECT user_login,user_pass FROM wp_users` to extract user credentials. The `getAllDownloads` function in `attachment/model.php` uses `$jsst_downloadid` from the `downloadid` request parameter, which can be manipulated. Since the plugin does not require authentication for many of these endpoints (or the nonce check can be bypassed), unauthenticated attackers can exploit these injections.nnPatch Analysis:nnThe patch replaces all instances of `esc_sql()` with `intval()` for numeric parameters across the codebase. The `intval()` function converts the input to an integer, stripping any non-numeric characters, which makes SQL injection impossible through these parameters. For example, in `customfields.php` line 613, the code changed from `fieldfor =” . esc_sql($jsst_fieldfor)` to `fieldfor =” . intval($jsst_fieldfor)`. If an attacker passes `fieldfor=1 UNION SELECT …`, `intval()` returns `1`, and the query executes safely with the value 1. The patch also includes other improvements such as adding authorization checks (e.g., in `getAllDownloads` the patch adds a check for ticket ownership before allowing download) and updating version strings. This is a comprehensive fix that addresses all vulnerable SQL query constructions identified in the codebase.nnImpact:nnSuccessful exploitation allows an unauthenticated attacker to execute arbitrary SQL commands against the WordPress database. This can lead to extraction of sensitive information including usernames, password hashes, email addresses, and session tokens from the wp_users table. The attacker could also modify database content, potentially creating new administrator accounts, changing plugin settings, or injecting malicious code into pages/posts. Given the CVSS score of 7.5, this represents a high-severity risk to all WordPress sites running the vulnerable plugin version. The impact is amplified by the fact that no authentication is required, making automated mass exploitation feasible.”,
“poc_php”: null,
modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-48886n# This rule blocks SQL injection attempts targeting the JS Help Desk plugin’s vulnerable numeric parametersn# It matches across multiple endpoints where the plugin processes unvalidated numeric inputsnSecRule REQUEST_URI “@rx /wp-admin/admin-ajax.php|/wp-content/plugins/js-support-ticket/” \n “id:20261994,phase:2,deny,status:403,chain,msg:’CVE-2026-48886 JS Help Desk SQL Injection Attempt’,severity:’CRITICAL’,tag:’CVE-2026-48886′”n SecRule ARGS “@rx (?:UNIONs+SELECT|SELECTs+.*s+FROM|INSERTs+INTO|UPDATEs+.*s+SET|DELETEs+FROM|DROPs+TABLE|LOAD_FILE|INTOs+OUTFILE|–|#|bORb.*=.*|bANDb.*=.*)” \n “chain”n SecRule ARGS_NAMES “@rx ^(?:fieldfor|multiformid|id|ticketid|userid|uid|departmentid|downloadid)$” \n “t:none”n
}
Published : June 22, 2026
CVE-2026-48886: JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.9 Unauthenticated SQL Injection PoC, Patch Analysis & Rule
CVE ID
CVE-2026-48886
Plugin
js-support-ticket
Severity
High
(CVSS 7.5)
CWE
89
Vulnerable Version
3.0.9
Patched Version
3.1.0
Disclosed
June 1, 2026
Analysis Overview
Differential between vulnerable and patched code
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
Code Diff
--- a/js-support-ticket/includes/activation.php
+++ b/js-support-ticket/includes/activation.php
@@ -201,8 +201,8 @@
('tplink_faqs_user', '0', 'tplink', 'faq'),
('show_breadcrumbs', '1', 'default', NULL),
('productcode', 'jsticket', 'default', NULL),
- ('versioncode', '3.0.9', 'default', NULL),
- ('productversion', '309', 'default', NULL),
+ ('versioncode', '3.1.0', 'default', NULL),
+ ('productversion', '310', 'default', NULL),
('producttype', 'free', 'default', NULL),
('tve_enabled', '2', 'default', NULL),
('tve_mailreadtype', '3', 'default', NULL),
--- a/js-support-ticket/includes/classes/customfields.php
+++ b/js-support-ticket/includes/classes/customfields.php
@@ -610,7 +610,7 @@
if (!is_admin()) {
$jsst_inquery .= ' AND adminonly != 1 ';
}
- $jsst_query = "SELECT field,fieldtitle,isuserfield,userfieldtype,userfieldparams,multiformid FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $jsst_published . " AND fieldfor =" . esc_sql($jsst_fieldfor) . $jsst_inquery. " AND multiformid =" . esc_sql($jsst_multiformid). " ORDER BY ordering";
+ $jsst_query = "SELECT field,fieldtitle,isuserfield,userfieldtype,userfieldparams,multiformid FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $jsst_published . " AND fieldfor =" . intval($jsst_fieldfor) . $jsst_inquery. " AND multiformid =" . intval($jsst_multiformid). " ORDER BY ordering";
$jsst_data = jssupportticket::$_db->get_results($jsst_query);
return $jsst_data;
}
@@ -628,7 +628,7 @@
$jsst_inquery .= " AND adminonly != 1";
}
- $jsst_query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $jsst_inquery . " AND fieldfor =" . esc_sql($jsst_fieldfor) ." ORDER BY ordering ";
+ $jsst_query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $jsst_inquery . " AND fieldfor =" . intval($jsst_fieldfor) ." ORDER BY ordering ";
$jsst_data = jssupportticket::$_db->get_results($jsst_query);
return $jsst_data;
}
@@ -638,7 +638,7 @@
return false;
}
- $jsst_query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND published = 1 AND search_admin =1 AND fieldfor =" . esc_sql($jsst_fieldfor) ." ORDER BY ordering ";
+ $jsst_query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND published = 1 AND search_admin =1 AND fieldfor =" . intval($jsst_fieldfor) ." ORDER BY ordering ";
$jsst_data = jssupportticket::$_db->get_results($jsst_query);
return $jsst_data;
}
--- a/js-support-ticket/includes/classes/uploads.php
+++ b/js-support-ticket/includes/classes/uploads.php
@@ -23,7 +23,7 @@
if($this->jsst_uploadfor == 'ticket'){
if(!is_numeric($this->jsst_ticketid)) return false;
$jsst_path = $jsst_path . '/ticket';
- $jsst_query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".esc_sql($this->jsst_ticketid);
+ $jsst_query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".intval($this->jsst_ticketid);
$jsst_foldername = jssupportticket::$_db->get_var($jsst_query);
}elseif($this->jsst_uploadfor == 'article'){
$jsst_path = $jsst_path . '/articles/article_'.$this->jsst_articleid;
--- a/js-support-ticket/includes/classes/user.php
+++ b/js-support-ticket/includes/classes/user.php
@@ -15,7 +15,7 @@
$jsst_wpuserid = get_current_user_id();
if (!is_numeric($jsst_wpuserid))
return false;
- $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($jsst_wpuserid);
+ $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . intval($jsst_wpuserid);
$jsst_currentuser = jssupportticket::$_db->get_row($jsst_query);
$jsst_jssupportticket_registerform = JSSTrequest::getVar('jsst_support_register_nonce', 'post', '');
$jsst_registerform = JSSTrequest::getVar('jssupportticket_registerform', 'post', 0);
@@ -66,7 +66,7 @@
$jsst_row->store();
if (is_numeric($jsst_row->id)) {
- $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . esc_sql($jsst_row->id);
+ $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . intval($jsst_row->id);
$jsst_currentuser = jssupportticket::$_db->get_results($jsst_query);
}
}
@@ -168,7 +168,7 @@
$jsst_wpuserid = JSSTincluder::getObjectClass('user')->uid();
if (!is_numeric($jsst_wpuserid))
return false;
- $jsst_query = "SELECT COUNT(id) FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($jsst_wpuserid);
+ $jsst_query = "SELECT COUNT(id) FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . intval($jsst_wpuserid);
$jsst_result = jssupportticket::$_db->get_results($jsst_query);
if ($jsst_result > 0) {
return true;
@@ -200,7 +200,7 @@
function getjssupportticketuidbyuserid($jsst_userid)
{
if (!is_numeric($jsst_userid)) return false;
- $jsst_query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($jsst_userid);
+ $jsst_query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . intval($jsst_userid);
$jsst_uid = jssupportticket::$_db->get_results($jsst_query);
return $jsst_uid;
}
@@ -213,7 +213,7 @@
if (!is_numeric($jsst_uid)) return false;
$jsst_model = JSSTincluder::getJSModel('ticket');
- $jsst_query = "SELECT id, ticketid FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE wpuid = " . esc_sql($jsst_uid);
+ $jsst_query = "SELECT id, ticketid FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE wpuid = " . intval($jsst_uid);
$jsst_tickets = jssupportticket::$_db->get_results($jsst_query);
do_action('jsst_addon_deletequery_for_user');
@@ -225,11 +225,11 @@
LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_activity_log` AS activity_log ON activity_log.uid = user.id
LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_erasedatarequests` AS erasedatarequests ON erasedatarequests.uid = user.id
" . jssupportticket::$_addon_query['join'] . "
- WHERE user.id = " . esc_sql($jsst_uid);
+ WHERE user.id = " . intval($jsst_uid);
jssupportticket::$_db->query($jsst_query);
do_action('jsst_reset_aadon_query');
- $jsst_query = "DELETE user FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` AS user WHERE wpuid = " . esc_sql($jsst_uid);
+ $jsst_query = "DELETE user FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` AS user WHERE wpuid = " . intval($jsst_uid);
if (jssupportticket::$_db->query($jsst_query)) {
// --- START FILESYSTEM FIX ---
@@ -262,7 +262,7 @@
if (!is_numeric($jsst_wpuid))
return false;
- $jsst_query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($jsst_wpuid);
+ $jsst_query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . intval($jsst_wpuid);
$jsst_result = jssupportticket::$_db->get_var($jsst_query);
return $jsst_result;
}
@@ -271,7 +271,7 @@
if (!is_numeric($jsst_uid))
return false;
- $jsst_query = "SELECT display_name,user_nicename FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . esc_sql($jsst_uid);
+ $jsst_query = "SELECT display_name,user_nicename FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . intval($jsst_uid);
$jsst_result = jssupportticket::$_db->get_row($jsst_query);
return $jsst_result;
}
--- a/js-support-ticket/includes/includer.php
+++ b/js-support-ticket/includes/includer.php
@@ -15,7 +15,7 @@
public static function include_file($jsst_filename, $jsst_module_name = null) {
$allowed_modules = array(
- 'activitylog','attachment','configuration','department','email','emailtemplate','fieldordering','gdpr','jssupportticket','postinstallation','premiumplugin','priority','product','reply','reports','slug','status','systemerror','themes','thirdpartyimport','ticket','actions','agent','role','roleaccessdepartments','rolepermissions','useraccessdepartments','userpermissions','agentautoassign','aipoweredreply','announcement','autoclose','banemail','banemaillog','cannedresponses','dashboardwidgets','download','easydigitaldownloads','emailcc','emailpiping','envatovalidation','export','faq','feedback','helptopic','knowledgebase','mail','mailchimp','maxticket','mergeticket','multiform','multilanguageemailtemplates','note','notification','overdue','paidsupport','privatecredentials','smtp','sociallogin','themes','tickethistory','timetracking','useroptions','widgets','woocommerce','downloadattachment','articleattachmet','actions','actions','actions','actions','actions',
+ 'activitylog','attachment','configuration','department','email','emailtemplate','fieldordering','gdpr','jssupportticket','postinstallation','premiumplugin','priority','product','reply','reports','slug','status','systemerror','themes','thirdpartyimport','ticket','actions','agent','role','roleaccessdepartments','rolepermissions','useraccessdepartments','userpermissions','agentautoassign','aipoweredreply','announcement','autoclose','banemail','banemaillog','cannedresponses','dashboardwidgets','download','zywrap','easydigitaldownloads','emailcc','emailpiping','envatovalidation','export','faq','feedback','helptopic','knowledgebase','mail','mailchimp','maxticket','mergeticket','multiform','multilanguageemailtemplates','note','notification','overdue','paidsupport','privatecredentials','smtp','sociallogin','themes','tickethistory','timetracking','useroptions','widgets','woocommerce','downloadattachment','articleattachmet','actions','actions','actions','actions','actions',
);
if (
--- a/js-support-ticket/includes/jsst-hooks.php
+++ b/js-support-ticket/includes/jsst-hooks.php
@@ -287,7 +287,7 @@
if(!is_numeric($jsst_user_id)){
return false;
}
- $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "users` WHERE id = " . esc_sql($jsst_user_id);
+ $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "users` WHERE id = " . intval($jsst_user_id);
$jsst_user = jssupportticket::$_db->get_row($jsst_query);
$jsst_uid = "";
@@ -299,7 +299,7 @@
if(isset($_POST['user_id'])) $jsst_post_user_id = jssupportticket::JSST_sanitizeData($_POST['user_id']); // JSST_sanitizeData() function uses wordpress santize functions
if ($jsst_post_user_id == $jsst_user_id) {
- $jsst_query = "SELECT id FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` WHERE wpuid = " . esc_sql($jsst_user_id);
+ $jsst_query = "SELECT id FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` WHERE wpuid = " . intval($jsst_user_id);
$jsst_id = jssupportticket::$_db->get_var($jsst_query);
}
$jsst_name = "";
--- a/js-support-ticket/includes/permissions.php
+++ b/js-support-ticket/includes/permissions.php
@@ -12,7 +12,7 @@
$jsst_query = "SELECT perm_allowed.status
FROM `" . jsjobs::$_db->prefix . "jsjobs_permissions` AS perm
JOIN `" . jsjobs::$_db->prefix . "jsjobs_permissions_allowed` AS perm_allowed ON perm_allowed.permissionid = perm.id
- WHERE perm.permissions = '".esc_sql($jsst_permissionfor)."' AND perm_allowed.userid = ".esc_sql($jsst_userid);
+ WHERE perm.permissions = '".esc_sql($jsst_permissionfor)."' AND perm_allowed.userid = ".intval($jsst_userid);
$jsst_result = jsjobs::$_db->get_var($jsst_query);
return $jsst_result;
}
--- a/js-support-ticket/js-support-ticket.php
+++ b/js-support-ticket/js-support-ticket.php
@@ -1,17 +1,13 @@
<?php
-/**
- * @package JS Help Desk
- * @author Ahmad Bilal
- * @version 3.0.9
- */
/*
Plugin Name: JS Help Desk – AI-Powered Support & Ticketing System
Plugin URI: https://www.jshelpdesk.com
Description: JS Help Desk is a trusted open source ticket system. JS Help Desk is a simple, easy to use, web-based customer support system. User can create ticket from front-end. JS Help Desk comes packed with lot features than most of the expensive(and complex) support ticket system on market. JS Help Desk provide you best industry help desk system.
Author: JS Help Desk
- Version: 3.0.9
+ Version: 3.1.0
Text Domain: js-support-ticket
+ Domain Path: /languages
License: GPLv3
Author URI: https://www.jshelpdesk.com
*/
@@ -67,7 +63,7 @@
self::$jsst_data = array();
self::$_search = array();
self::$_captcha = array();
- self::$_currentversion = '309';
+ self::$_currentversion = '310';
self::$_addon_query = array('select'=>'','join'=>'','where'=>'');
self::$_jshdsession = JSSTincluder::getObjectClass('wphdsession');
global $wpdb;
@@ -147,7 +143,7 @@
// restore colors data end
update_option('jsst_currentversion', self::$_currentversion);
include_once JSST_PLUGIN_PATH . 'includes/updates/updates.php';
- JSSTupdates::checkUpdates('309');
+ JSSTupdates::checkUpdates('310');
JSSTincluder::getJSModel('jssupportticket')->updateColorFile();
JSSTincluder::getJSModel('jssupportticket')->jsst_check_license_status();
JSSTincluder::getJSModel('jssupportticket')->JSSTAddonsAutoUpdate();
@@ -1544,7 +1540,7 @@
// in case if user is agent
if ( in_array('agent',jssupportticket::$_active_addons)) {
$jsst_query = "
- SELECT id, photo FROM `" . jssupportticket::$_db->prefix."js_ticket_staff` AS staff WHERE staff.uid = ".esc_sql($jsst_uid);
+ SELECT id, photo FROM `" . jssupportticket::$_db->prefix."js_ticket_staff` AS staff WHERE staff.uid = ".intval($jsst_uid);
$jsst_staff_data = jssupportticket::$_db->get_row($jsst_query);
if (!empty($jsst_staff_data->photo)) {
$jsst_maindir = wp_upload_dir();
--- a/js-support-ticket/modules/attachment/controller.php
+++ b/js-support-ticket/modules/attachment/controller.php
@@ -55,7 +55,7 @@
exit;
}
- static function deleteattachment() {
+ static function deleteattachment() {
$jsst_id = absint( JSSTrequest::getVar( 'id' ) );
$jsst_ticket_id = absint( JSSTrequest::getVar( 'ticketid' ) );
--- a/js-support-ticket/modules/attachment/model.php
+++ b/js-support-ticket/modules/attachment/model.php
@@ -10,7 +10,7 @@
return false;
$jsst_query = "SELECT filename,filesize,id
FROM `" . jssupportticket::$_db->prefix . "js_ticket_attachments`
- WHERE ticketid = " . esc_sql($jsst_id) . " and replyattachmentid = 0";
+ WHERE ticketid = " . intval($jsst_id) . " and replyattachmentid = 0";
jssupportticket::$jsst_data[5] = jssupportticket::$_db->get_results($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -25,7 +25,7 @@
return false;
$jsst_query = "SELECT filename,filesize,id
FROM `" . jssupportticket::$_db->prefix . "js_ticket_attachments`
- WHERE ticketid = " . esc_sql($jsst_id) . " AND replyattachmentid = " . esc_sql($jsst_replyattachmentid);
+ WHERE ticketid = " . intval($jsst_id) . " AND replyattachmentid = " . intval($jsst_replyattachmentid);
$jsst_result = jssupportticket::$_db->get_results($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -77,7 +77,7 @@
$jsst_query = $jsst_query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename "
. " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
. " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
- . " WHERE attach.id = ". esc_sql($jsst_id);
+ . " WHERE attach.id = ". intval($jsst_id);
$jsst_obj = jssupportticket::$_db->get_row($jsst_query);
$jsst_filename = $jsst_obj->filename;
$jsst_foldername = $jsst_obj->foldername;
@@ -107,7 +107,7 @@
$jsst_query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename "
. " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
. " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
- . " WHERE attach.id = ". esc_sql($jsst_id);
+ . " WHERE attach.id = ". intval($jsst_id);
$jsst_object = jssupportticket::$_db->get_row($jsst_query);
$jsst_datadirectory = jssupportticket::$_config['data_directory'];
$jsst_foldername = $jsst_object->foldername;
@@ -128,7 +128,7 @@
$jsst_query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename "
. " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
. " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
- . " WHERE attach.id = ". esc_sql($jsst_id);
+ . " WHERE attach.id = ". intval($jsst_id);
$jsst_object = jssupportticket::$_db->get_row($jsst_query);
$jsst_foldername = $jsst_object->foldername;
$jsst_ticketid = $jsst_object->ticketid;
@@ -259,6 +259,22 @@
function getAllDownloads() {
$jsst_downloadid = JSSTrequest::getVar('downloadid');
+ //if not admin and agent
+ // check for ticket owner only in case of user
+ if(!current_user_can('manage_options') && !(in_array('agent',jssupportticket::$_active_addons) && JSSTincluder::getJSModel('agent')->isUserStaff())){
+ // in case of user check for ticket owner
+ if (!JSSTincluder::getObjectClass('user')->isguest()) {
+ $jsst_current_uid = JSSTincluder::getObjectClass('user')->uid();
+ $jsst_ticket_uid = JSSTincluder::getJSModel('ticket')->getUIdById($jsst_downloadid);
+ if ($jsst_current_uid != $jsst_ticket_uid) {
+ return;
+ }
+ } else {
+ if (!JSSTincluder::getJSModel('ticket')->validateTicketDetailForVisitor($jsst_downloadid)) {
+ return;
+ }
+ }
+ }
$jsst_ticketattachment = JSSTincluder::getJSModel('ticket')->getAttachmentByTicketId($jsst_downloadid);
if(!class_exists('PclZip')){
--- a/js-support-ticket/modules/department/model.php
+++ b/js-support-ticket/modules/department/model.php
@@ -51,7 +51,7 @@
$jsst_query = "SELECT department.*,email.email AS outgoingemail
FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_email` AS email ON email.id = department.emailid
- WHERE department.id = " . esc_sql($jsst_id);
+ WHERE department.id = " . intval($jsst_id);
jssupportticket::$jsst_data[0] = jssupportticket::$_db->get_row($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError(); // if there is an error add it to system errorrs
@@ -94,7 +94,7 @@
$jsst_emailaddresses = array();
}
$jsst_query = "SELECT email FROM `" . jssupportticket::$_db->prefix . "js_ticket_email`
- WHERE id = ".esc_sql($jsst_data['emailid']);
+ WHERE id = ".intval($jsst_data['emailid']);
$jsst_email = jssupportticket::$_db->get_var($jsst_query);
foreach ($jsst_emailaddresses as $jsst_edata) {
@@ -161,7 +161,7 @@
$jsst_order = "<";
$jsst_direction = "DESC";
}
- $jsst_query = "SELECT t.ordering,t.id,t2.ordering AS ordering2 FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t,`" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t2 WHERE t.ordering $jsst_order t2.ordering AND t2.id = ".esc_sql($jsst_id)." ORDER BY t.ordering $jsst_direction LIMIT 1";
+ $jsst_query = "SELECT t.ordering,t.id,t2.ordering AS ordering2 FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t,`" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t2 WHERE t.ordering $jsst_order t2.ordering AND t2.id = ".intval($jsst_id)." ORDER BY t.ordering $jsst_direction LIMIT 1";
$jsst_result = jssupportticket::$_db->get_row($jsst_query);
$jsst_row = JSSTincluder::getJSTable('departments');
@@ -191,7 +191,7 @@
if(in_array('agent',jssupportticket::$_active_addons)){
$jsst_query = "DELETE
FROM `".jssupportticket::$_db->prefix . "js_ticket_acl_role_access_departments`
- WHERE departmentid = ".esc_sql($jsst_id);
+ WHERE departmentid = ".intval($jsst_id);
jssupportticket::$_db->query($jsst_query);
}
JSSTmessage::setMessage(esc_html(__('The department has been deleted', 'js-support-ticket')), 'updated');
@@ -209,19 +209,19 @@
if (!is_numeric($jsst_id))
return false;
$jsst_query = "SELECT (
- (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE departmentid = " . esc_sql($jsst_id) . ")
- + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($jsst_id) . " AND isdefault = 1) ";
+ (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE departmentid = " . intval($jsst_id) . ")
+ + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . intval($jsst_id) . " AND isdefault = 1) ";
if(in_array('agent', jssupportticket::$_active_addons)){
- $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_acl_user_access_departments` WHERE departmentid = " . esc_sql($jsst_id) . ") ";
+ $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_acl_user_access_departments` WHERE departmentid = " . intval($jsst_id) . ") ";
}
if(in_array('helptopic', jssupportticket::$_active_addons)){
- $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE departmentid = " . esc_sql($jsst_id) . ") ";
+ $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE departmentid = " . intval($jsst_id) . ") ";
}
if(in_array('cannedresponses', jssupportticket::$_active_addons)){
- $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE departmentid = " . esc_sql($jsst_id) . ")";
+ $jsst_query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE departmentid = " . intval($jsst_id) . ")";
}
$jsst_query .= " ) AS total";
@@ -251,7 +251,7 @@
function changeStatus($jsst_id) {
if (!is_numeric($jsst_id))
return false;
- $jsst_query = "SELECT status FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id=" . esc_sql($jsst_id);
+ $jsst_query = "SELECT status FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id=" . intval($jsst_id);
$jsst_status = jssupportticket::$_db->get_var($jsst_query);
$jsst_status = 1 - $jsst_status;
@@ -269,10 +269,10 @@
if (!is_numeric($jsst_id))
return false;
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 0 WHERE id != " . esc_sql($jsst_id);
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 0 WHERE id != " . intval($jsst_id);
jssupportticket::$_db->query($jsst_query);
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 1 - $jsst_default WHERE id=" . esc_sql($jsst_id);
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 1 - $jsst_default WHERE id=" . intval($jsst_id);
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error == null) {
@@ -298,7 +298,7 @@
return false;
}
- $jsst_query = "SELECT id, topic AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE status = 1 AND departmentid = " . esc_sql($jsst_departmentid) . " ORDER BY ordering ASC";
+ $jsst_query = "SELECT id, topic AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE status = 1 AND departmentid = " . intval($jsst_departmentid) . " ORDER BY ordering ASC";
$jsst_list = jssupportticket::$_db->get_results($jsst_query);
$jsst_query = "SELECT required FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE field='helptopic'";
@@ -322,7 +322,7 @@
$jsst_departmentid = JSSTrequest::getVar('val');
if (!is_numeric($jsst_departmentid))
return false;
- $jsst_query = "SELECT id, title AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE status = 1 AND departmentid = " . esc_sql($jsst_departmentid);
+ $jsst_query = "SELECT id, title AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE status = 1 AND departmentid = " . intval($jsst_departmentid);
$jsst_query .= " ORDER BY title ASC ";
$jsst_list = jssupportticket::$_db->get_results($jsst_query);
$jsst_combobox = false;
@@ -352,7 +352,7 @@
function getSignatureByID($jsst_id) {
if (!is_numeric($jsst_id))
return false;
- $jsst_query = "SELECT departmentsignature FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($jsst_id);
+ $jsst_query = "SELECT departmentsignature FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . intval($jsst_id);
$jsst_signature = jssupportticket::$_db->get_var($jsst_query);
return $jsst_signature;
}
@@ -360,7 +360,7 @@
function getDepartmentById($jsst_id) {
if (!is_numeric($jsst_id))
return false;
- $jsst_query = "SELECT departmentname FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($jsst_id);
+ $jsst_query = "SELECT departmentname FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . intval($jsst_id);
$jsst_departmentname = jssupportticket::$_db->get_var($jsst_query);
return $jsst_departmentname;
}
--- a/js-support-ticket/modules/email/model.php
+++ b/js-support-ticket/modules/email/model.php
@@ -110,7 +110,7 @@
FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket
LEFT JOIN `".jssupportticket::$_db->prefix."js_ticket_departments` AS dept ON dept.id = ticket.departmentid
LEFT JOIN `".jssupportticket::$_db->prefix."js_ticket_email` AS email ON email.id = dept.emailid
- WHERE ticket.id = ".esc_sql($jsst_id);
+ WHERE ticket.id = ".intval($jsst_id);
$jsst_dept_result = jssupportticket::$_db->get_row($jsst_query);
if($jsst_dept_result){
if(isset($jsst_dept_result->sendmail) && $jsst_dept_result->sendmail == 1){
@@ -1880,19 +1880,19 @@
$jsst_query = "SELECT mail.subject,mail.message,CONCAT(staff.firstname,' ',staff.lastname) AS sendername, staff.uid as staffuid
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = mail.fromid
- WHERE mail.id = " . esc_sql($jsst_id);
+ WHERE mail.id = " . intval($jsst_id);
} else {
$jsst_query = "SELECT mail.subject,reply.message,CONCAT(staff.firstname,' ',staff.lastname) AS sendername, staff.uid as staffuid
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS reply
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail ON mail.id = reply.replytoid
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = reply.fromid
- WHERE reply.id = " . esc_sql($jsst_id);
+ WHERE reply.id = " . intval($jsst_id);
}
$jsst_result = jssupportticket::$_db->get_row($jsst_query);
$jsst_query = "SELECT staff.email
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = mail.toid
- WHERE mail.id = " . esc_sql($jsst_id);
+ WHERE mail.id = " . intval($jsst_id);
$jsst_email = jssupportticket::$_db->get_var($jsst_query);
$jsst_result->receveremail = $jsst_email;
return $jsst_result;
@@ -1903,7 +1903,7 @@
return false;
$jsst_query = "SELECT staff.email
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff
- WHERE staff.id = " . esc_sql($jsst_id);
+ WHERE staff.id = " . intval($jsst_id);
$jsst_emailaddress = jssupportticket::$_db->get_var($jsst_query);
return $jsst_emailaddress;
}
@@ -1913,7 +1913,7 @@
return false;
$jsst_query = "SELECT staff.uid
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff
- WHERE staff.id = " . esc_sql($jsst_id);
+ WHERE staff.id = " . intval($jsst_id);
$jsst_emailaddress = jssupportticket::$_db->get_var($jsst_query);
return $jsst_emailaddress;
}
@@ -1921,7 +1921,7 @@
private function getLatestReplyByTicketId($jsst_id) {
if (!is_numeric($jsst_id))
return false;
- $jsst_query = "SELECT reply.message FROM `" . jssupportticket::$_db->prefix . "js_ticket_replies` AS reply WHERE reply.ticketid = " . esc_sql($jsst_id) . " ORDER BY reply.created DESC LIMIT 1";
+ $jsst_query = "SELECT reply.message FROM `" . jssupportticket::$_db->prefix . "js_ticket_replies` AS reply WHERE reply.ticketid = " . intval($jsst_id) . " ORDER BY reply.created DESC LIMIT 1";
$jsst_message = jssupportticket::$_db->get_var($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -2013,7 +2013,7 @@
FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` AS ticket
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department ON department.id = ticket.departmentid
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_email` AS email ON email.id = department.emailid
- WHERE ticket.id = " . esc_sql($jsst_id);
+ WHERE ticket.id = " . intval($jsst_id);
$jsst_email = jssupportticket::$_db->get_row($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -2030,7 +2030,7 @@
private function getDefaultSenderEmailAndName() {
$jsst_emailid = jssupportticket::$_config['default_alert_email'];
if(!is_numeric($jsst_emailid)) return false;
- $jsst_query = "SELECT email,name FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE id = " . esc_sql($jsst_emailid);
+ $jsst_query = "SELECT email,name FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE id = " . intval($jsst_emailid);
$jsst_email = jssupportticket::$_db->get_row($jsst_query);
return $jsst_email;
}
@@ -2040,7 +2040,7 @@
// If multiformid is provided
if (!empty($jsst_multiformid)) {
- $jsst_query .= " AND multiformid = " . esc_sql($jsst_multiformid);
+ $jsst_query .= " AND multiformid = " . intval($jsst_multiformid);
$jsst_template = jssupportticket::$_db->get_row($jsst_query);
// If no form-specific template is found, fallback to default
@@ -2075,7 +2075,7 @@
. " LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department ON department.id = ticket.departmentid "
. jssupportticket::$_addon_query['join']
. " LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_priorities` AS priority ON priority.id = ticket.priorityid "
- . " WHERE ticket.id = " . esc_sql($jsst_id);
+ . " WHERE ticket.id = " . intval($jsst_id);
do_action('jsst_reset_aadon_query');
break;
default:
--- a/js-support-ticket/modules/emailtemplate/model.php
+++ b/js-support-ticket/modules/emailtemplate/model.php
@@ -70,7 +70,7 @@
$jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_emailtemplates` WHERE templatefor = '" . esc_sql($jsst_tempatefor) . "'";
}
if (!empty($jsst_formid)) {
- $jsst_query .= " AND multiformid = " . esc_sql($jsst_formid);
+ $jsst_query .= " AND multiformid = " . intval($jsst_formid);
} else {
$jsst_query .= " AND (multiformid IS NULL OR multiformid = '')";
}
--- a/js-support-ticket/modules/fieldordering/model.php
+++ b/js-support-ticket/modules/fieldordering/model.php
@@ -26,7 +26,7 @@
// Data
// $jsst_query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE published = 1 AND fieldfor = 1 ORDER BY ordering LIMIT ".JSSTpagination::getOffset().", ".JSSTpagination::getLimit();
- $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE fieldfor = ".esc_sql($jsst_fieldfor);
+ $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE fieldfor = ".intval($jsst_fieldfor);
$jsst_query .= $jsst_inquery." ORDER BY ordering ";
jssupportticket::$jsst_data[0] = jssupportticket::$_db->get_results($jsst_query);
@@ -40,14 +40,14 @@
if (!is_numeric($jsst_id))
return false;
if ($jsst_status == 'publish') {
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 1 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 1 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
}
JSSTmessage::setMessage(esc_html(__('Field mark as published', 'js-support-ticket')),'updated');
} elseif ($jsst_status == 'unpublish') {
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 0 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 0 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -61,12 +61,12 @@
if (!is_numeric($jsst_id))
return false;
if ($jsst_status == 'publish') {
- $jsst_query = "SELECT adminonly FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE id = " . esc_sql($jsst_id);
+ $jsst_query = "SELECT adminonly FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE id = " . intval($jsst_id);
$jsst_adminonly = jssupportticket::$_db->get_var($jsst_query);
if(!empty($jsst_adminonly)){
JSSTmessage::setMessage(esc_html(__('Field cannot be mark as published', 'js-support-ticket')),'error');
}else{
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 1 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 1 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -74,7 +74,7 @@
JSSTmessage::setMessage(esc_html(__('Field mark as published', 'js-support-ticket')),'updated');
}
} elseif ($jsst_status == 'unpublish') {
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 0 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 0 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -88,23 +88,23 @@
if (!is_numeric($jsst_id))
return false;
- // $jsst_query = "SELECT field FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE id =".esc_sql($jsst_id);
+ // $jsst_query = "SELECT field FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE id =".intval($jsst_id);
// $jsst_child = jssupportticket::$_db->get_var($jsst_query);
- // $jsst_query = "SELECT count(id) FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE visible_field = '".esc_sql($jsst_child)."'";
+ // $jsst_query = "SELECT count(id) FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE visible_field = '".intval($jsst_child)."'";
// $jsst_count = jssupportticket::$_db->get_var($jsst_query);
// if ($jsst_count > 0) {
// JSSTmessage::setMessage(esc_html(__('Field cannot mark as required', 'js-support-ticket')), 'error');
// return;
// }
if ($jsst_status == 'required') {
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 1 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 1 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
}
JSSTmessage::setMessage(esc_html(__('Field mark as required', 'js-support-ticket')),'updated');
} elseif ($jsst_status == 'unrequired') {
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 0 WHERE id = " . esc_sql($jsst_id) . " AND cannotunpublish = 0";
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 0 WHERE id = " . intval($jsst_id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -120,16 +120,16 @@
if ($jsst_action == 'down') {
$jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f1, `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f2
SET f1.ordering = f1.ordering - 1 WHERE f1.ordering = f2.ordering + 1 AND f1.fieldfor = f2.fieldfor
- AND f2.id = " . esc_sql($jsst_id);
+ AND f2.id = " . intval($jsst_id);
jssupportticket::$_db->query($jsst_query);
- $jsst_query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering + 1 WHERE id = " . esc_sql($jsst_id);
+ $jsst_query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering + 1 WHERE id = " . intval($jsst_id);
jssupportticket::$_db->query($jsst_query);
JSSTmessage::setMessage(esc_html(__('Field ordering down', 'js-support-ticket')),'updated');
} elseif ($jsst_action == 'up') {
$jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f1, `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f2 SET f1.ordering = f1.ordering + 1
- WHERE f1.ordering = f2.ordering - 1 AND f1.fieldfor = f2.fieldfor AND f2.id = " . esc_sql($jsst_id);
+ WHERE f1.ordering = f2.ordering - 1 AND f1.fieldfor = f2.fieldfor AND f2.id = " . intval($jsst_id);
jssupportticket::$_db->query($jsst_query);
- $jsst_query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering - 1 WHERE id = " . esc_sql($jsst_id);
+ $jsst_query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering - 1 WHERE id = " . intval($jsst_id);
jssupportticket::$_db->query($jsst_query);
JSSTmessage::setMessage(esc_html(__('Field ordering up', 'js-support-ticket')),'updated');
}
@@ -160,7 +160,7 @@
$jsst_adminonly = ' AND adminonly != 1 ';
}
}
- $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE ".$jsst_published." AND fieldfor = " . esc_sql($jsst_fieldfor);
+ $jsst_query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE ".$jsst_published." AND fieldfor = " . intval($jsst_fieldfor);
if ($jsst_fieldfor == 1) {
$jsst_query .= " AND multiformid = " . intval($jsst_formid);
}
@@ -195,7 +195,7 @@
if ($jsst_data['isuserfield'] == 1) {
// value to add as field ordering
if ($jsst_data['id'] == '') { // only for new
- $jsst_query = "SELECT max(ordering) FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor=".esc_sql($jsst_data['fieldfor']);
+ $jsst_query = "SELECT max(ordering) FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor=".intval($jsst_data['fieldfor']);
$jsst_var = jssupportticket::$_db->get_var($jsst_query);
$jsst_data['ordering'] = $jsst_var + 1;
if(isset($jsst_data['userfieldtype']) && ($jsst_data['userfieldtype'] == 'file' || $jsst_data['userfieldtype'] == 'termsandconditions' ) ){
@@ -271,7 +271,7 @@
// new start
if (!empty($jsst_data['id'])) {
- $jsst_query = "SELECT id, visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE visible_field LIKE '%" . esc_sql($jsst_fieldname) . "%' AND multiformid = ".esc_sql($jsst_data['multiformid']);
+ $jsst_query = "SELECT id, visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE visible_field LIKE '%" . esc_sql($jsst_fieldname) . "%' AND multiformid = ".intval($jsst_data['multiformid']);
$jsst_query_results = jssupportticket::$_db->get_results($jsst_query);
if (!empty($jsst_query_results)) {
@@ -279,7 +279,7 @@
$jsst_query_fieldname = $jsst_query_result->visible_field;
$jsst_query_fieldname = jssupportticketphplib::JSST_str_replace(',' . $jsst_fieldname, '', $jsst_query_fieldname);
$jsst_query_fieldname = jssupportticketphplib::JSST_str_replace($jsst_fieldname, '', $jsst_query_fieldname);
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET visible_field = '" . esc_sql($jsst_query_fieldname) . "' WHERE id = " . esc_sql($jsst_query_result->id) . " AND multiformid = ".esc_sql($jsst_data['multiformid']);
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET visible_field = '" . esc_sql($jsst_query_fieldname) . "' WHERE id = " . esc_sql($jsst_query_result->id) . " AND multiformid = ".intval($jsst_data['multiformid']);
jssupportticket::$_db->query($jsst_query);
}
}
@@ -325,7 +325,7 @@
}
// --- your database update code ---
- $jsst_query = "SELECT visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE field = '" . esc_sql($jsst_visibleParents[$jsst_index]) . "' AND multiformid = ".esc_sql($jsst_data['multiformid']);
+ $jsst_query = "SELECT visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE field = '" . esc_sql($jsst_visibleParents[$jsst_index]) . "' AND multiformid = ".intval($jsst_data['multiformid']);
$jsst_old_fieldname = jssupportticket::$_db->get_var($jsst_query);
$jsst_new_fieldname = $jsst_fieldname;
@@ -338,7 +338,7 @@
$jsst_new_fieldname = $jsst_old_fieldname . ',' . $jsst_new_fieldname;
}
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET visible_field = '" . esc_sql($jsst_new_fieldname) . "' WHERE field = '" . esc_sql($jsst_visibleParents[$jsst_index]) . "' AND multiformid = ".esc_sql($jsst_data['multiformid']);
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET visible_field = '" . esc_sql($jsst_new_fieldname) . "' WHERE field = '" . esc_sql($jsst_visibleParents[$jsst_index]) . "' AND multiformid = ".intval($jsst_data['multiformid']);
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
@@ -359,7 +359,7 @@
if ($jsst_data['fieldfor'] != 3) {
$jsst_data['visibleparams'] = '';
// If editing old field
- $jsst_query = "SELECT id, visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE visible_field LIKE '%" . esc_sql($jsst_fieldname) . "%' AND multiformid = ".esc_sql($jsst_data['multiformid']);
+ $jsst_query = "SELECT id, visible_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE visible_field LIKE '%" . esc_sql($jsst_fieldname) . "%' AND multiformid = ".intval($jsst_data['multiformid']);
$jsst_query_results = jssupportticket::$_db->get_results($jsst_query);
if (!empty($jsst_query_results)) {
foreach ($jsst_query_results as $jsst_query_result) {
@@ -466,7 +466,7 @@
/* get parent saved data */
$jsst_query = "SELECT * FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering where
- id = '". esc_sql($jsst_data['id'])."'";
+ id = '". intval($jsst_data['id'])."'";
$jsst_parent = jssupportticket::$_db->get_row($jsst_query);
/* get parent saved data */
@@ -494,11 +494,11 @@
$jsst_clasue = ' , ';
}
if(isset($jsst_data['published']) && $jsst_data['published'] != null){
- $jsst_inquery .= $jsst_clasue." published = ". esc_sql($jsst_data['published']);
+ $jsst_inquery .= $jsst_clasue." published = ". intval($jsst_data['published']);
$jsst_clasue = ' , ';
}
if(isset($jsst_data['isvisitorpublished']) && $jsst_data['isvisitorpublished'] != null){
- $jsst_inquery .= $jsst_clasue." isvisitorpublished = ". esc_sql($jsst_data['isvisitorpublished']);
+ $jsst_inquery .= $jsst_clasue." isvisitorpublished = ". intval($jsst_data['isvisitorpublished']);
$jsst_clasue = ' , ';
}
if(isset($jsst_data['placeholder']) && $jsst_data['placeholder'] != null){
@@ -510,27 +510,27 @@
$jsst_clasue = ' , ';
}
if(isset($jsst_data['required']) && $jsst_data['required'] != null){
- $jsst_inquery .= $jsst_clasue." required = ". esc_sql($jsst_data['required']);
+ $jsst_inquery .= $jsst_clasue." required = ". intval($jsst_data['required']);
$jsst_clasue = ' , ';
}
if(isset($jsst_data['search_user']) && $jsst_data['search_user'] != null){
- $jsst_inquery .= $jsst_clasue." search_user = ". esc_sql($jsst_data['search_user']);
+ $jsst_inquery .= $jsst_clasue." search_user = ". intval($jsst_data['search_user']);
$jsst_clasue = ' , ';
}
if(isset($jsst_data['search_admin']) && $jsst_data['search_admin'] != null){
- $jsst_inquery .= $jsst_clasue." search_admin = ". esc_sql($jsst_data['search_admin']);
+ $jsst_inquery .= $jsst_clasue." search_admin = ". intval($jsst_data['search_admin']);
$jsst_clasue = ' , ';
}
if(isset($jsst_data['search_visitor']) && $jsst_data['search_visitor'] != null){
- $jsst_inquery .= $jsst_clasue." search_visitor = ". esc_sql($jsst_data['search_visitor']);
+ $jsst_inquery .= $jsst_clasue." search_visitor = ". intval($jsst_data['search_visitor']);
$jsst_clasue = ' , ';
}
if(isset($jsst_data['showonlisting']) && $jsst_data['showonlisting'] != null){
- $jsst_inquery .= $jsst_clasue." showonlisting = ". esc_sql($jsst_data['showonlisting']);
+ $jsst_inquery .= $jsst_clasue." showonlisting = ". intval($jsst_data['showonlisting']);
$jsst_clasue = ' , ';
}
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ".$jsst_inquery." WHERE id = " . esc_sql($jsst_data['id']) ;
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ".$jsst_inquery." WHERE id = " . intval($jsst_data['id']) ;
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -545,7 +545,7 @@
if(!is_numeric($jsst_parentfield)) return false;
if(empty($jsst_field)) return false;
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET depandant_field = '" . esc_sql($jsst_field) . "' WHERE id = " . esc_sql($jsst_parentfield)." AND fieldfor = ".esc_sql($jsst_fieldfor);
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET depandant_field = '" . esc_sql($jsst_field) . "' WHERE id = " . intval($jsst_parentfield)." AND fieldfor = ".intval($jsst_fieldfor);
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -577,7 +577,7 @@
//$jsst_childNew = wp_json_encode( stripslashes_deep($jsst_childNew) );
$jsst_childNew = wp_json_encode( $jsst_childNew );
$jsst_child->userfieldparams = $jsst_childNew;
- $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET userfieldparams = '" . esc_sql($jsst_childNew) . "' WHERE id = " . esc_sql($jsst_child->id);
+ $jsst_query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET userfieldparams = '" . esc_sql($jsst_childNew) . "' WHERE id = " . intval($jsst_child->id);
jssupportticket::$_db->query($jsst_query);
if (jssupportticket::$_db->last_error != null) {
@@ -597,14 +597,14 @@
if(!is_numeric($jsst_fieldfor)) return false;
$jsst_wherequery = '';
if(isset($jsst_parentfield) && $jsst_parentfield !='' ){
- $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".esc_sql($jsst_fieldfor)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo'OR userfieldtype = 'depandant_field') AND depandant_field = '" . esc_sql($jsst_parentfield) . "' ";
+ $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".intval($jsst_fieldfor)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo'OR userfieldtype = 'depandant_field') AND depandant_field = '" . esc_sql($jsst_parentfield) . "' ";
$jsst_parent = jssupportticket::$_db->get_var($jsst_query);
- $jsst_wherequery = ' OR id = '.esc_sql($jsst_parent);
+ $jsst_wherequery = ' OR id = '.intval($jsst_parent);
}
- $jsst_query = "SELECT fieldtitle AS text ,id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".esc_sql($jsst_fieldfor)." AND multiformid = ".intval($jsst_formid)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo' OR userfieldtype = 'depandant_field') AND (depandant_field = '' ".esc_sql($jsst_wherequery)." ) ";
+ $jsst_query = "SELECT fieldtitle AS text ,id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".intval($jsst_fieldfor)." AND multiformid = ".intval($jsst_formid)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo' OR userfieldtype = 'depandant_field') AND (depandant_field = '' ".esc_sql($jsst_wherequery)." ) ";
$jsst_data = jssupportticket::$_db->get_results($jsst_query);
if(isset($jsst_parentfield) && $jsst_parentfield !='' ){
- $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".esc_sql($jsst_fieldfor)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo'OR userfieldtype = 'depandant_field') AND depandant_field = '" . esc_sql($jsst_parentfield) . "' ";
+ $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".intval($jsst_fieldfor)." AND (userfieldtype = 'radio' OR userfieldtype = 'combo'OR userfieldtype = 'depandant_field') AND depandant_field = '" . esc_sql($jsst_parentfield) . "' ";
$jsst_parent = jssupportticket::$_db->get_var($jsst_query);
}
$jsst_nonce = wp_create_nonce("get-section-to-fill-values-".$jsst_fieldfor);
@@ -619,15 +619,15 @@
if(!is_numeric($jsst_fieldfor)) return false;
$jsst_wherequery = '';
if(isset($jsst_field) && $jsst_field !='' ){
- $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".esc_sql($jsst_fieldfor)." AND (userfieldtype IN ( 'combo', 'text', 'checkbox', 'date', 'email', 'radio', 'multiple') ) AND visible_field = '" . esc_sql($jsst_field) . "' ";
+ $jsst_query = "SELECT id FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE fieldfor = ".intval($jsst_fieldfor)." AND (userfieldtype IN ( 'combo', 'text', 'checkbox', 'date', 'email', 'radio', 'multiple') ) AND visible_field = '" . esc_sql($jsst_field) . "' ";
$jsst_parent = jssupportticket::$_db->get_var($jsst_query);
if ($jsst_parent) {
- $jsst_wherequery = ' OR id = '.esc_sql($jsst_parent);
+ $jsst_wherequery = ' OR id = '.intval($jsst_parent);
}
}
$jsst_wherequeryforedit = '';
if(isset($jsst_cid) && $jsst_cid !='' ){
- $jsst_wherequeryforedit = ' AND id != '.esc_sql($jsst_cid);
+ $jsst_wherequeryforedit = ' AND id != '.intval($jsst_cid);
}
// Base fields always included
@@ -646,14 +646,14 @@
SELECT fieldtitle AS text, field AS id
FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering
WHERE (
- fieldfor = " . esc_sql($jsst_fieldfor) . "
- AND multiformid = '" . esc_sql($jssFrequently Asked Questions
What is CVE-2026-48886?
Understanding the vulnerabilityCVE-2026-48886 is a high-severity SQL injection vulnerability found in the JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress, affecting versions up to and including 3.0.9. It allows unauthenticated attackers to inject arbitrary SQL commands into database queries, potentially leading to sensitive data extraction.
How does the SQL injection vulnerability work?
Mechanism of exploitationThe vulnerability arises from insufficient input validation on user-supplied parameters that are directly included in SQL queries. Attackers can manipulate these parameters to execute arbitrary SQL commands, which can extract or modify data in the WordPress database.
Who is affected by this vulnerability?
Identifying vulnerable installationsAny WordPress site using the JS Help Desk plugin version 3.0.9 or earlier is at risk. Administrators can check their plugin version in the WordPress admin panel under ‘Plugins’ to determine if they are affected.
How can I fix or mitigate this vulnerability?
Steps to secure your siteTo mitigate this vulnerability, update the JS Help Desk plugin to version 3.1.0 or later, which includes a patch that replaces vulnerable SQL query handling with safer practices. Regularly check for updates to all plugins to maintain security.
What does a CVSS score of 7.5 indicate?
Understanding risk levelsA CVSS score of 7.5 indicates a high-severity risk, suggesting that successful exploitation could lead to significant consequences, including unauthorized access to sensitive data. Administrators should prioritize addressing vulnerabilities with such scores.
What is the proof of concept (PoC) for this vulnerability?
Demonstrating the issueThe PoC involves sending crafted HTTP requests to the plugin’s AJAX endpoints with manipulated parameters, allowing attackers to execute SQL injection commands. For example, using a request like ‘POST /wp-admin/admin-ajax.php?action=jssupportticket_getcustomfields&fieldfor=1 UNION SELECT …’ can demonstrate the vulnerability.
What types of data could be exposed through this vulnerability?
Potential data breachesExploitation of this vulnerability could allow attackers to access sensitive information such as usernames, password hashes, email addresses, and session tokens from the WordPress database. This could lead to further attacks or account takeovers.
What additional security measures should I consider?
Enhancing overall securityIn addition to updating the plugin, consider implementing a Web Application Firewall (WAF) to block SQL injection attempts and regularly audit your WordPress site for vulnerabilities. Employing strong user authentication methods and monitoring for unusual activity can also enhance security.
How can I verify if the patch has been applied?
Checking for successful updatesTo verify the patch, check the plugin version in your WordPress admin panel. Ensure it is updated to version 3.1.0 or later. Additionally, review the plugin code for the replacement of ‘esc_sql()’ with ‘intval()’ in SQL queries handling numeric parameters.
What are the implications of not addressing this vulnerability?
Consequences of inactionFailing to address this vulnerability can lead to unauthorized access to your database, resulting in data theft, loss of user trust, and potential legal repercussions. It is crucial to act promptly to protect your WordPress site.
Are there any specific configurations that increase risk?
Understanding risk factorsSites that allow unauthenticated access to AJAX endpoints or have weak security configurations are at higher risk. Ensure that your site implements proper authentication and authorization checks for sensitive actions.
What should I do if I suspect exploitation?
Responding to potential breachesIf you suspect exploitation, immediately review your server logs for unusual activity, change passwords, and consider restoring from a backup prior to the vulnerability being exploited. Engage with security professionals to assess and remediate any damage.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
