CVE-2022-46838 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2022-46838?

CVE-2022-46838 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows unauthenticated attackers to change plugin settings in JS Help Desk WordPress plugin due to missing authorization checks. Any WordPress site running affected versions of this plugin is vulnerable to unauthorized configuration changes.

📋 TL;DR

This vulnerability allows unauthenticated attackers to change plugin settings in JS Help Desk WordPress plugin due to missing authorization checks. Any WordPress site running affected versions of this plugin is vulnerable to unauthorized configuration changes.

💻 Affected Systems

Products:

JS Help Desk – Best Help Desk & Support Plugin (WordPress plugin)

Versions: All versions up to and including 2.7.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Js Help Desk by Joomsky

View all CVEs affecting Js Help Desk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover through privilege escalation, data theft, or malware injection via modified plugin settings.

🟠

Likely Case

Unauthorized configuration changes leading to data exposure, functionality disruption, or backdoor installation.

🟢

If Mitigated

Limited impact if proper network segmentation and web application firewalls block unauthorized requests.

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and accessible via web requests.

🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if accessed via internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to vulnerable endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.2 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-2-7-1-unauthenticated-settings-change-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update plugin to version 2.7.2+ via WordPress admin panel. 2. Verify update completed successfully. 3. Test help desk functionality.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate js-support-ticket

Web Application Firewall Rule

all

Block unauthorized requests to plugin settings endpoints

🧯 If You Can't Patch

Remove plugin from production environment
Implement strict network access controls to limit plugin exposure

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for plugin version 2.7.1 or earlier

Check Version:

wp plugin get js-support-ticket --field=version

Verify Fix Applied:

Confirm plugin version is 2.7.2 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin-ajax.php with action=jsstsetting
Unusual settings changes in plugin configuration

Network Indicators:

HTTP requests to plugin admin endpoints without authentication headers

SIEM Query:

source="web_server" AND (uri="/wp-admin/admin-ajax.php" AND post_data LIKE "%jsstsetting%") AND NOT (user_agent LIKE "%wordpress%" OR auth_status="success")

📊 Metadata

CVE ID: CVE-2022-46838

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-862

Published: December 13, 2024

Last Updated: January 23, 2026

🔗 References

https://patchstack.com/database/wordpress/plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-2-7-1-unauthenticated-settings-change-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-46838, you might also want to check these: