CVE-2024-7094: CWE-94 Improper Control of Generation of Code ('Code Injection') in rabilal JS Help Desk – The Ultimate Help Desk & Support Plugin
The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the 'storeTheme' function. This is due to a lack of sanitization on user-supplied values, which replace values in the style.php file, along with missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server. This issue was partially patched in 2.8.6 when the code injection issue was resolved, and fully patched in 2.8.7 when the missing authorization and cross-site request forgery protection was added.
CVE-2024-7094: CWE-94 Improper Control of Generation of Code ('Code Injection') in rabilal JS Help Desk – The Ultimate Help Desk & Support Plugin
Description
The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the 'storeTheme' function. This is due to a lack of sanitization on user-supplied values, which replace values in the style.php file, along with missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server. This issue was partially patched in 2.8.6 when the code injection issue was resolved, and fully patched in 2.8.7 when the missing authorization and cross-site request forgery protection was added.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-24T21:58:26.836Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c0fb7ef31ef0b55f83c
Added to database: 2/25/2026, 9:39:27 PM
Last updated: 2/26/2026, 1:07:03 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27896: CWE-178: Improper Handling of Case Sensitivity in modelcontextprotocol go-sdk
HighCVE-2026-27888: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumCVE-2026-27884: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Pennyw0rth NetExec
MediumCVE-2026-27837: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mickhansen dottie.js
MediumCVE-2026-27831: CWE-125: Out-of-bounds Read in bluedragonsecurity rldns
HighActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.