Skip to main content

WP Ticket EUVD-2026-36636

| CVE-2026-9848 HIGH
SQL Injection (CWE-89)
2026-06-13 Wordfence GHSA-cmwh-2j7f-4vh3
WordPress SQLi Customer Support Ticket System Helpdesk
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated single HTTP request to the default `?s=` endpoint (AV:N/AC:L/PR:N/UI:N); UNION-based SELECT yields data disclosure (C:H) but no write or DoS (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 02:59 vuln.today
CVE Published
Jun 13, 2026 - 02:29 cve.org
HIGH 7.5

DescriptionNVD

The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (s) in versions up to, and including, 6.0.4 The plugin hooks WordPress's posts_request filter with wp_ticket_com_posts_request(), which calls emd_author_search_results() when the current request is an unauthenticated front-end search. That function reads $query->query_vars['s'] - already wp_unslash()'d by WP_Query::parse_query(), so wp_magic_quotes protection has been stripped - and concatenates the raw value into a SQL LIKE clause inside a UNION sub-SELECT appended to the main query, with no $wpdb->prepare() or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database.

Articles & Coverage 2

News 3 New WordPress Vulnerabilities - 3 High Severity Jun 14, 2026 News 3 New WordPress Vulnerabilities - 3 High Severity Jun 13, 2026

AnalysisAI

SQL injection in the WP Ticket WordPress plugin (versions up to and including 6.0.4) allows unauthenticated remote attackers to inject arbitrary SQL via the WordPress front-end search query parameter s, enabling extraction of sensitive database contents. The flaw stems from concatenating the unslashed search term into a UNION sub-SELECT without using $wpdb->prepare(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running WP Ticket ≤6.0.4
Delivery
Send GET request to /?s= with UNION SELECT payload
Exploit
Plugin concatenates payload into wp_posts query
Execution
Database executes appended SELECT
Persist
Extract user hashes and secrets from response
Impact
Crack hashes offline for account takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the WP Ticket plugin installed and active at version ≤ 6.0.4, and the front-end search endpoint (the standard `?s=` query parameter handled by `WP_Query`) must be reachable by the attacker - which is the default for public WordPress sites. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N scores 7.5 and correctly reflects unauthenticated, network-reachable exploitation against a public search endpoint with high confidentiality impact but no integrity or availability impact - consistent with a UNION-based read-only SELECT injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP GET request to the target WordPress site's front-end search endpoint, for example `https://victim.example/?s=` followed by a crafted payload that closes the `LIKE` clause and appends a UNION SELECT to exfiltrate values such as `wp_users.user_login` and `user_pass` hashes. Because exploitation is a single network request with no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N), it is highly automatable against any reachable site running WP Ticket ≤ 6.0.4. …
Remediation Vendor-released patch: WP Ticket 6.0.5, per the WordPress.org plugin changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-ticket/tags%2F6.0.4&new_path=%2Fwp-ticket/tags%2F6.0.5 and the targeted fix in https://plugins.trac.wordpress.org/changeset/3565099/wp-ticket/trunk/includes/common-functions.php - administrators should upgrade to 6.0.5 or later immediately via the WordPress plugin updater. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Scan all WordPress installations to identify WP Ticket plugin presence and affected versions (≤6.0.4); assess which sites have search functionality publicly exposed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36636 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy