CVE-2024-7094: 
WordPress vulnerability analysis and mitigation

The JS Help Desk – The Ultimate Help Desk & Support Plugin for WordPress (CVE-2024-7094) is a critical vulnerability affecting all versions up to and including 2.8.6. The vulnerability was discovered in August 2024 and involves PHP Code Injection leading to Remote Code Execution via the 'storeTheme' function. The issue was partially addressed in version 2.8.6 and fully patched in version 2.8.7 (NVD).

The vulnerability stems from a lack of sanitization on user-supplied values in the style.php file, combined with missing capability checks. The issue has been assigned a CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD, Wordfence).

The vulnerability affects over 5,000 WordPress websites running the JS Help Desk plugin. Due to the critical nature of the vulnerability, unauthenticated attackers can execute arbitrary code on the affected servers, potentially leading to complete system compromise (Hacker News).

Website administrators running the affected plugin versions should immediately update to version 2.8.7, which includes the complete security fix with both the code injection patch and proper authorization checks. The vulnerability was addressed in two stages: the initial patch in version 2.8.6 fixed the code injection issue, while version 2.8.7 added the missing authorization and cross-site request forgery protection (NVD).