Skip to main content

Majestic Support CVE-2026-13262

| EUVDEUVD-2026-43122 MEDIUM
SQL Injection (CWE-89)
2026-07-11 Wordfence GHSA-jvc5-5493-8v66
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network AJAX endpoint requires only Subscriber-level nonce; confidentiality impact is high (full DB read); no write or availability path confirmed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 03:52 vuln.today
CVE Published
Jul 11, 2026 - 02:31 cve.org
MEDIUM 6.5

DescriptionCVE.org

The Majestic Support - The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a valid 'get-smart-reply' nonce, which any Subscriber-level user can obtain by creating a ticket via the public frontend and visiting the resulting ticket detail page, making this effectively exploitable by any authenticated user.

AnalysisAI

SQL injection in the Majestic Support WordPress help desk plugin (versions up to and including 1.1.9) allows any authenticated WordPress user to extract sensitive data from the site's database by appending arbitrary SQL to queries via the unsanitized 'val' AJAX parameter. Although the description characterizes attackers as 'unauthenticated,' exploitation in practice requires a Subscriber-level account to obtain a 'get-smart-reply' nonce - a low but real barrier accurately reflected in the CVSS PR:L rating. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register Subscriber-level WordPress account
Delivery
Submit support ticket via public frontend
Exploit
Extract 'get-smart-reply' nonce from ticket detail page
Execution
Craft AJAX POST with SQL payload in 'val' parameter
Persist
Execute UNION-based injection against database
Impact
Exfiltrate sensitive database contents

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress account at Subscriber level or higher and to have the ability to create at least one support ticket through the Majestic Support public frontend. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N accurately reflects the real-world exploitation profile: network-reachable, low-complexity, requiring only Subscriber-level authentication, with high confidentiality impact (full database read) and no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber-level account on a WordPress site running Majestic Support 1.1.9, submits a support ticket through the public frontend to trigger nonce issuance, captures the 'get-smart-reply' nonce from the rendered ticket detail page, then sends a crafted AJAX POST request with a UNION-based SQL payload in the 'val' parameter - extracting WordPress user table data including hashed passwords and email addresses from the database. No public exploit code has been identified at time of analysis, but the straightforward UNION injection path and low technical barrier make independent exploitation development likely for moderately skilled attackers.
Remediation Upgrade the Majestic Support plugin to version 1.2.0 or later; the 1.2.0 tagged release on plugins.trac.wordpress.org (https://plugins.trac.wordpress.org/browser/majestic-support/tags/1.2.0/modules/smartreply/model.php?rev=3599140#L212) shows revised code in the previously vulnerable model.php location - however, this fix version is inferred from source code diffs rather than from a formal vendor security changelog, so confirm with the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/502577dd-49e3-419d-8b37-591be69ad131 before treating it as definitive. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy