Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network AJAX endpoint requires only Subscriber-level nonce; confidentiality impact is high (full DB read); no write or availability path confirmed.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Majestic Support - The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a valid 'get-smart-reply' nonce, which any Subscriber-level user can obtain by creating a ticket via the public frontend and visiting the resulting ticket detail page, making this effectively exploitable by any authenticated user.
AnalysisAI
SQL injection in the Majestic Support WordPress help desk plugin (versions up to and including 1.1.9) allows any authenticated WordPress user to extract sensitive data from the site's database by appending arbitrary SQL to queries via the unsanitized 'val' AJAX parameter. Although the description characterizes attackers as 'unauthenticated,' exploitation in practice requires a Subscriber-level account to obtain a 'get-smart-reply' nonce - a low but real barrier accurately reflected in the CVSS PR:L rating. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid WordPress account at Subscriber level or higher and to have the ability to create at least one support ticket through the Majestic Support public frontend. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N accurately reflects the real-world exploitation profile: network-reachable, low-complexity, requiring only Subscriber-level authentication, with high confidentiality impact (full database read) and no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber-level account on a WordPress site running Majestic Support 1.1.9, submits a support ticket through the public frontend to trigger nonce issuance, captures the 'get-smart-reply' nonce from the rendered ticket detail page, then sends a crafted AJAX POST request with a UNION-based SQL payload in the 'val' parameter - extracting WordPress user table data including hashed passwords and email addresses from the database. No public exploit code has been identified at time of analysis, but the straightforward UNION injection path and low technical barrier make independent exploitation development likely for moderately skilled attackers. |
| Remediation | Upgrade the Majestic Support plugin to version 1.2.0 or later; the 1.2.0 tagged release on plugins.trac.wordpress.org (https://plugins.trac.wordpress.org/browser/majestic-support/tags/1.2.0/modules/smartreply/model.php?rev=3599140#L212) shows revised code in the previously vulnerable model.php location - however, this fix version is inferred from source code diffs rather than from a formal vendor security changelog, so confirm with the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/502577dd-49e3-419d-8b37-591be69ad131 before treating it as definitive. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43122
GHSA-jvc5-5493-8v66