CVE-2025-30901: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-30901) was discovered in JoomSky's JS Help Desk WordPress plugin affecting versions up to and including 2.9.2. The vulnerability was discovered by Trương Hữu Phúc and publicly disclosed on March 27, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (CVE Details, WPScan).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has received a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability allows for PHP Local File Inclusion and can be exploited without authentication (Patchstack).

The vulnerability enables unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. This can be leveraged to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. Files containing credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration (WPScan).

The vulnerability has been fixed in version 2.9.3 of the JS Help Desk plugin. Users are strongly advised to update to version 2.9.3 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).