Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-7094

CVE-2024-7094: JS Help Desk WordPress Plugin RCE Flaw

CVE-2024-7094 is a remote code execution vulnerability in JS Help Desk WordPress plugin that allows unauthenticated attackers to execute arbitrary code on the server. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-7094 Overview

CVE-2024-7094 is a critical PHP Code Injection vulnerability affecting the JS Help Desk – The Ultimate Help Desk & Support Plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on the server through the storeTheme function, which lacks proper input sanitization and capability checks. The flaw enables attackers to inject malicious code via user-supplied values that are written directly to the style.php file, resulting in Remote Code Execution (RCE).

Critical Impact

Unauthenticated remote code execution allows attackers to completely compromise WordPress installations, potentially leading to data theft, website defacement, malware distribution, and lateral movement within the hosting environment.

Affected Products

  • JS Help Desk – The Ultimate Help Desk & Support Plugin versions up to and including 2.8.6
  • WordPress installations running vulnerable versions of the plugin
  • Partial fix in version 2.8.6 (code injection resolved); full fix in version 2.8.7 (authorization and CSRF protection added)

Discovery Timeline

  • 2024-08-13 - CVE-2024-7094 published to NVD
  • 2024-08-13 - Last updated in NVD database

Technical Details for CVE-2024-7094

Vulnerability Analysis

This vulnerability is classified as CWE-94 (Improper Control of Generation of Code, 'Code Injection'). The storeTheme function in the JS Help Desk plugin processes user-supplied input without adequate sanitization before writing it to the style.php file. Because there are no capability checks enforcing authentication, any unauthenticated user can invoke this function and inject arbitrary PHP code into the stylesheet file.

The attack chain involves manipulating theme-related parameters that are subsequently stored in executable PHP files. When the style.php file is later accessed by the WordPress application, the injected code executes with the privileges of the web server user, granting attackers full control over the WordPress installation.

Root Cause

The root cause of CVE-2024-7094 stems from multiple security oversights in the theme management functionality:

  1. Missing Input Sanitization: User-supplied values are directly written to PHP files without escaping or validation
  2. Absent Capability Checks: No verification that the requesting user has administrative privileges to modify theme settings
  3. Missing CSRF Protection: No nonce verification to prevent cross-site request forgery attacks

The combination of these issues creates a direct path from unauthenticated HTTP requests to server-side code execution. The vulnerable code flow passes through multiple files including formhandler.php, controller.php, and model.php in the themes module before ultimately writing to style.php.

Attack Vector

The attack leverages the network-accessible storeTheme function through standard HTTP requests to the WordPress site. An attacker can craft a malicious request containing PHP code within theme parameter values. This code is then written to the style.php file in the plugin's CSS directory.

The exploitation process involves:

  1. Identifying a WordPress site running a vulnerable version of JS Help Desk
  2. Crafting an HTTP request to the storeTheme endpoint with malicious PHP code embedded in theme parameters
  3. The plugin processes the request without authentication, writing the payload to style.php
  4. Accessing the style.php file triggers execution of the injected code

Technical analysis of the vulnerable code paths can be found in the WordPress Plugin Theme Model and WordPress Plugin CSS File. For additional vulnerability details, see the Wordfence Vulnerability Report.

Detection Methods for CVE-2024-7094

Indicators of Compromise

  • Unexpected modifications to /wp-content/plugins/js-support-ticket/includes/css/style.php file
  • Presence of PHP code constructs (e.g., eval(), system(), exec(), base64_decode()) within CSS-related files
  • Unusual outbound network connections from the web server process
  • New or unfamiliar files created in the WordPress installation directory

Detection Strategies

  • Monitor web server access logs for suspicious POST requests to the JS Help Desk plugin endpoints, particularly those targeting theme-related functionality
  • Implement file integrity monitoring (FIM) on the style.php file and related plugin files to detect unauthorized modifications
  • Deploy web application firewall (WAF) rules to detect and block requests containing PHP code patterns in form parameters
  • Review WordPress plugin audit logs for unauthorized theme modification attempts

Monitoring Recommendations

  • Configure real-time alerts for any file modifications within the JS Help Desk plugin directory
  • Establish baseline behavior for legitimate theme customization requests and alert on anomalies
  • Monitor for PHP process spawning unexpected child processes (shell commands, network tools)
  • Track changes to the wp-content/plugins/js-support-ticket/ directory structure

How to Mitigate CVE-2024-7094

Immediate Actions Required

  • Update JS Help Desk plugin to version 2.8.7 or later immediately
  • Audit the style.php file for any signs of injected PHP code
  • Review web server logs for evidence of exploitation attempts
  • If compromise is suspected, perform a full malware scan and consider restoring from a known-clean backup

Patch Information

The vulnerability was addressed in two phases by the plugin developers:

  • Version 2.8.6: Partial patch resolving the PHP code injection issue by implementing input sanitization
  • Version 2.8.7: Full patch adding missing authorization checks and cross-site request forgery (CSRF) protection via nonce verification

WordPress administrators should update to version 2.8.7 or later to receive complete protection. The patch can be applied through the WordPress admin dashboard under Plugins → Installed Plugins → JS Help Desk → Update, or by downloading the latest version from the WordPress plugin repository.

Workarounds

  • Temporarily disable the JS Help Desk plugin until patching is possible
  • Implement WAF rules to block requests containing PHP code patterns targeting the plugin's form handlers
  • Restrict access to the WordPress admin directory using .htaccess rules or server-level IP whitelisting
  • Remove write permissions from the style.php file temporarily (may affect plugin functionality)
bash
# Temporary mitigation: Restrict write access to style.php
chmod 444 /var/www/html/wp-content/plugins/js-support-ticket/includes/css/style.php

# Block suspicious requests at the web server level (Apache example)
# Add to .htaccess in WordPress root
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (eval|base64_decode|system|exec) [NC,OR]
    RewriteCond %{REQUEST_BODY} (eval|base64_decode|system|exec) [NC]
    RewriteRule ^wp-content/plugins/js-support-ticket/ - [F,L]
</IfModule>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne