Cyber Resilience

CVE-2026-2511

High

Published: 26 March 2026

Published
26 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 29.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2511 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2511 is a SQL injection vulnerability in the JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress, affecting all versions up to and including 3.0.4. The flaw resides in the storeTickets() function, where the user-supplied multiformid parameter is passed to the esc_sql() function without enclosing the result in quotes within the SQL query. This renders the escaping ineffective against payloads that lack quote characters, allowing injection of additional SQL queries.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. Successful exploitation enables appending arbitrary SQL queries to existing ones, facilitating extraction of sensitive information from the database. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) underscores the high confidentiality impact.

Advisories reference specific code locations in the plugin's model.php files, including lines 181 and 996 in fieldordering/model.php and line 1178 in ticket/model.php. A patch is available via changeset 3463031 on the WordPress plugins Trac repository, and Wordfence provides additional threat intelligence details.

EU & UK References

Vulnerability details

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied…

more

`multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing WordPress plugin directly enables remote exploitation of web application (T1190) and arbitrary database queries for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22743Shared CWE-89
CVE-2026-3456Shared CWE-89
CVE-2026-40978Shared CWE-89
CVE-2019-25537Shared CWE-89
CVE-2026-22850Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-supplied inputs like the multiformid parameter to prevent SQL injection in the storeTickets function.

prevent

Mandates timely application of patches, such as the available changeset 3463031, to remediate the improper esc_sql usage without quotes.

prevent

Boundary protection via web application firewalls can inspect and block SQL injection payloads targeting the multiformid parameter before reaching the vulnerable plugin.

References