CVE-2023-50839

CRITICAL NUCLEI

JS Help Desk < 2.8.1 - Unauthenticated SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-50839. PoCs published by Francesco-CyberIntelligence, Sechunt3r. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository describes an IDOR vulnerability (CVE-2023-50839) discovered in a third-party support component using tools like 'gau' and 'Nuclei'. The writeup highlights the exposure of outdated software and manual header analysis to confirm the vulnerability, emphasizing Defense in Depth failures and PII protection.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.8.1.

Exploits (2)

nomisec WRITEUP

by Francesco-CyberIntelligence · poc

https://github.com/Francesco-CyberIntelligence/bug-bounty-findings-o-research-disclosures.

View Code ZIP pw:eip

The repository describes an IDOR vulnerability (CVE-2023-50839) discovered in a third-party support component using tools like 'gau' and 'Nuclei'. The writeup highlights the exposure of outdated software and manual header analysis to confirm the vulnerability, emphasizing Defense in Depth failures and PII protection.

Classification

Writeup 80%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: unspecified third-party support component

No auth needed

Prerequisites: access to the vulnerable component · use of 'gau' and 'Nuclei' tools

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 25, 2026 Full analysis →

github WORKING POC

by Sechunt3r · pythonpoc

https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2023-50839

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2020-27615, an unauthenticated time-based blind SQL injection vulnerability in the WordPress Loginizer plugin. The exploit includes a Python script and a Nuclei template, both demonstrating the vulnerability via crafted payloads targeting the 'log' parameter.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Loginizer Plugin <= 1.6.3

No auth needed

Prerequisites: WordPress site with vulnerable Loginizer plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

JS Help Desk <= 2.8.1 - SQL Injection

CRITICALVERIFIEDby Shivam Kamboj

References (1)

Core 1

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/js-support-ticket/wordpress-js-help-desk-plugin-2-8-1-unauthenticated-sql-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.3

EPSS 0.0204

EPSS Percentile 78.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

JS Help Desk/JS Help Desk – Best Help Desk & Support Plugin < 2.8.1

wiselyhub/js_help_desk < 2.8.1

Published Dec 28, 2023

Tracked Since Feb 18, 2026