CVE-2026-2511
Published: 26 March 2026
Summary
CVE-2026-2511 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-supplied inputs like the multiformid parameter to prevent SQL injection in the storeTickets function.
Mandates timely application of patches, such as the available changeset 3463031, to remediate the improper esc_sql usage without quotes.
Boundary protection via web application firewalls can inspect and block SQL injection payloads targeting the multiformid parameter before reaching the vulnerable plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables remote exploitation of web application (T1190) and arbitrary database queries for sensitive data extraction (T1213.006).
NVD Description
The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied…
more
`multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Deeper analysisAI
CVE-2026-2511 is a SQL injection vulnerability in the JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress, affecting all versions up to and including 3.0.4. The flaw resides in the storeTickets() function, where the user-supplied multiformid parameter is passed to the esc_sql() function without enclosing the result in quotes within the SQL query. This renders the escaping ineffective against payloads that lack quote characters, allowing injection of additional SQL queries.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. Successful exploitation enables appending arbitrary SQL queries to existing ones, facilitating extraction of sensitive information from the database. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) underscores the high confidentiality impact.
Advisories reference specific code locations in the plugin's model.php files, including lines 181 and 996 in fieldordering/model.php and line 1178 in ticket/model.php. A patch is available via changeset 3463031 on the WordPress plugins Trac repository, and Wordfence provides additional threat intelligence details.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai