Skip to main content

WP Support Plus CVE-2026-11875

| EUVDEUVD-2026-42510 MEDIUM
2026-07-09 WPScan GHSA-rwf6-mm98-7hfq
5.3
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable with no prerequisites; integrity impact added (I:L) because attackers can reply to and close tickets beyond read access.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 17:16 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
5.3 (None) 5.3 (MEDIUM)
CVE Published
Jul 09, 2026 - 06:00 cve.org
MEDIUM 5.3
CVE Published
Jul 09, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sign or verify its guest-session cookie, allowing unauthenticated attackers to forge it and impersonate any ticket owner (identified by email address) to read, reply to, and close that person's support tickets.

AnalysisAI

Cookie forgery in WP Support Plus Responsive Ticket System (WordPress plugin ≤9.1.2) allows unauthenticated network attackers to impersonate any guest ticket owner by crafting an unsigned guest-session cookie containing the victim's email address, then reading, replying to, and closing that user's support tickets. The plugin fails to sign or verify its guest-session cookie, making the trust boundary between guest sessions trivially bypassable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate or obtain target user's email address
Delivery
Craft guest-session cookie with victim email value
Exploit
Send HTTP request with forged cookie to plugin endpoint
Execution
Plugin trusts cookie without verification
Impact
Read, reply to, or close victim's support tickets

Vulnerability AssessmentAI

Exploitation The WP Support Plus Responsive Ticket System plugin must be installed and active on a WordPress site with the guest (unauthenticated) ticket submission feature in use - this is the standard deployment mode for the plugin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 5.3 Medium vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) captures the network-reachable, unauthenticated nature of the flaw but understates the integrity dimension: attackers can also reply to and close tickets, actions the C:L/I:N rating omits. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows or enumerates a target user's email address constructs an HTTP request to the WordPress site with a crafted guest-session cookie bearing that email, requiring no credentials or prior interaction. The plugin accepts the cookie at face value, granting the attacker full read and write access to that user's support tickets - potentially exposing sensitive communications, allowing injection of misleading replies, or suppressing tickets by closing them. …
Remediation No vendor-released patched version has been identified at time of analysis - the WPScan advisory at https://wpscan.com/vulnerability/1c69692e-5d0c-42cf-9b3d-b722f2ba4231/ should be consulted for updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy