CVE-2024-13606

CVE-2024-13606 is a sensitive information exposure vulnerability affecting the JS Help Desk – The Ultimate Help Desk & Support Plugin for WordPress in all versions up to and including 2.8.8. The issue stems from insecure storage of data in the /wp-content/uploads/jssupportticketdata directory, which can contain file attachments from support tickets. This flaw, classified under CWE-200, has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity by directly accessing the exposed jssupportticketdata directory. Successful exploitation allows extraction of sensitive data, such as file attachments included in support tickets, potentially leading to disclosure of confidential information without affecting integrity or availability.

Advisories, including those from Wordfence, highlight the vulnerability and reference the affected code in the plugin's uploads.php file at version 2.8.8. Mitigation involves updating the plugin to a version beyond 2.8.8, where the insecure directory exposure is addressed, and reviewing uploads for any already compromised data.