CVE-2025-30880 Overview
CVE-2025-30880 is a missing authorization vulnerability in the JoomSky JS Help Desk plugin (js-support-ticket) for WordPress. The flaw stems from incorrectly configured access control security levels, allowing unauthenticated attackers to reach functionality that should require authorization. The issue affects all versions of JS Help Desk up to and including 2.9.2. The vulnerability is tracked under CWE-862: Missing Authorization and is exploitable over the network without user interaction or privileges.
Critical Impact
Network-reachable attackers can abuse broken access controls in JS Help Desk to disrupt availability of the support ticket plugin on affected WordPress sites.
Affected Products
- JoomSky JS Help Desk WordPress plugin (js-support-ticket) version 2.9.2 and earlier
- WordPress sites using the JS Help Desk plugin for customer support workflows
- Any deployment exposing the plugin's endpoints to unauthenticated network traffic
Discovery Timeline
- 2025-04-01 - CVE-2025-30880 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-30880
Vulnerability Analysis
The JS Help Desk plugin exposes one or more actions that fail to enforce proper authorization checks before executing privileged operations. According to the Patchstack Vulnerability Report, the weakness is a broken access control issue affecting versions through 2.9.2. An unauthenticated attacker can invoke functionality that the plugin assumes is restricted to specific user roles. The resulting impact, as reflected in the CVSS vector, is limited to availability — confidentiality and integrity are not directly affected. This pattern is consistent with capabilities such as ticket deletion, status manipulation, or resource clearing operations being callable without role validation.
Root Cause
The root cause is the absence of a proper capability or nonce check on one or more plugin handlers. WordPress plugins should verify user permissions using functions such as current_user_can() and validate request context with check_ajax_referer() or wp_verify_nonce(). When these checks are missing or are applied to the wrong capability level, the access control model is bypassed. This maps directly to CWE-862: Missing Authorization.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted HTTP requests to the plugin's exposed endpoints, typically through admin-ajax.php or registered REST routes. Because the affected handlers do not validate the caller's role, the requests are processed as if issued by an authorized user. Refer to the Patchstack Vulnerability Report for technical details on the affected actions.
Detection Methods for CVE-2025-30880
Indicators of Compromise
- Unexpected HTTP POST requests to admin-ajax.php referencing JS Help Desk actions from unauthenticated sessions
- Sudden loss, modification, or state changes of support tickets without corresponding administrator activity
- Web server logs showing repeated requests to plugin endpoints from a small set of source IP addresses
Detection Strategies
- Inventory all WordPress installations and identify sites running js-support-ticket version 2.9.2 or earlier
- Audit access logs for requests to JS Help Desk AJAX or REST endpoints originating from unauthenticated clients
- Correlate ticket database changes with authenticated admin sessions to identify out-of-band modifications
Monitoring Recommendations
- Enable verbose logging on the WordPress site and forward logs to a centralized SIEM for correlation
- Alert on anomalous request volumes to /wp-admin/admin-ajax.php containing JS Help Desk action parameters
- Monitor for changes to support ticket records outside of normal administrative workflows
How to Mitigate CVE-2025-30880
Immediate Actions Required
- Update the JS Help Desk plugin to a version newer than 2.9.2 once a patched release is available from JoomSky
- Restrict access to wp-admin and admin-ajax.php endpoints using a web application firewall (WAF) where feasible
- Review WordPress activity logs for evidence of unauthorized ticket manipulation
Patch Information
At the time of NVD publication, the affected scope is JS Help Desk versions n/a through <= 2.9.2. Site administrators should consult the Patchstack Vulnerability Report and the JoomSky vendor channel for patched release information and upgrade guidance.
Workarounds
- Deactivate and remove the JS Help Desk plugin until a fixed version is installed if the plugin is not business-critical
- Apply WAF rules that block unauthenticated requests to JS Help Desk AJAX actions and REST routes
- Limit administrative endpoints to known IP ranges using .htaccess or reverse proxy access control lists
# Configuration example: block unauthenticated access to JS Help Desk AJAX actions at the reverse proxy
location = /wp-admin/admin-ajax.php {
if ($arg_action ~* "^jssupportticket") {
# Allow only requests from trusted admin IPs
allow 203.0.113.0/24;
deny all;
}
include fastcgi_params;
fastcgi_pass php-fpm;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

