Skip to main content

WP Support Plus CVE-2026-11590

| EUVDEUVD-2026-40263 HIGH
2026-06-30 WPScan GHSA-fjmg-grxw-25vg
8.6
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Remote unauthenticated low-complexity SQLi (AV:N/AC:L/PR:N/UI:N) with database-only read impact, so C:H and S:U rather than the vendor's S:C; I/A:N as no confirmed write/destruction.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 30, 2026 - 15:24 vuln.today
CVSS changed
Jun 30, 2026 - 15:22 NVD
8.6 (HIGH)
CVE Published
Jun 30, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 06:00 cve.org
HIGH 8.6

DescriptionCVE.org

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.

AnalysisAI

Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running WP Support Plus ≤9.1.2
Delivery
Send request with SQL in array key
Exploit
Injection executes in $wpdb query
Execution
Extract user hashes and DB data
Impact
Crack/reuse credentials for account takeover

Vulnerability AssessmentAI

Exploitation No special conditions beyond having the WP Support Plus Responsive Ticket System plugin (version ≤9.1.2) installed and active on a reachable WordPress site - exploitation is remote and unauthenticated (PR:N, UI:N) against default configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a vulnerable WP Support Plus endpoint, supplying request parameters as PHP arrays whose KEY contains SQL syntax (e.g. a UNION or boolean/time-based blind payload). …
Remediation No vendor-released patch or fixed version is identified in the available data for versions through 9.1.2, so a clean upgrade target cannot be confirmed; monitor the WordPress plugin repository and the WPScan advisory (https://wpscan.com/vulnerability/117853ca-0fd3-4bfa-ad60-799eb5c77bdf/) for a release above 9.1.2 and apply it immediately once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances using WP Support Plus Responsive Ticket System plugin and disable it on non-critical systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy