CVE-2024-13607 is a security vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the JS Help Desk – The Ultimate Help Desk & Support Plugin for WordPress, versions up to and including 2.8.8. The flaw stems from an insecure direct object reference (IDOR) caused by insufficient validation of a user-controlled parameter named 'exportusereraserequest'. This parameter is used to export ticket data, but the plugin fails to verify that the requesting user has the appropriate authorization to access the specified data. As a result, any authenticated user with at least Subscriber-level permissions can manipulate this key to export ticket information belonging to other users, bypassing intended access controls. The vulnerability requires authentication but no additional user interaction, and it can be exploited remotely over the network. The CVSS v3.1 base score is 4.3, reflecting low complexity of attack and limited impact on confidentiality only, with no impact on integrity or availability. No patches or official fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The plugin is used primarily in WordPress environments, which are prevalent globally, especially in small to medium businesses and support organizations. The vulnerability highlights the importance of proper authorization checks on user-controlled inputs, especially in plugins handling sensitive support ticket data.

The primary impact of CVE-2024-13607 is the unauthorized disclosure of support ticket data, which may contain sensitive or personally identifiable information. This breach of confidentiality can lead to privacy violations, reputational damage, and potential regulatory non-compliance for organizations using the affected plugin. Since the vulnerability allows users with minimal privileges (Subscriber-level) to access data beyond their authorization, insider threats or compromised low-privilege accounts could be leveraged to harvest sensitive information. However, the vulnerability does not affect data integrity or system availability, limiting the scope of damage. Organizations relying on the JS Help Desk plugin for customer support risk exposure of confidential communications and user data, which could be exploited for social engineering or further attacks. The lack of known exploits reduces immediate risk, but the ease of exploitation and widespread use of WordPress plugins means the threat could escalate if weaponized. The impact is more significant for organizations handling sensitive or regulated data through their help desk systems.

To mitigate CVE-2024-13607, organizations should immediately audit and restrict access to the JS Help Desk plugin, limiting it to trusted users only. Administrators should review user roles and permissions to ensure that Subscriber-level accounts do not have unnecessary access to sensitive functions. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests manipulating the 'exportusereraserequest' parameter can provide temporary protection. Monitoring logs for unusual export activity or access patterns is recommended to detect exploitation attempts. Until an official patch is released, consider disabling the export functionality or the entire plugin if feasible. Developers and site administrators should apply the principle of least privilege and enforce strict server-side authorization checks on all user-controlled inputs. Regularly updating WordPress and plugins, and subscribing to vendor security advisories, will ensure timely application of future fixes. Additionally, educating users about the risks of privilege escalation and enforcing strong authentication can reduce exploitation likelihood.