Skip to main content

WP Support Plus EUVDEUVD-2026-40262

| CVE-2026-11589 HIGH
2026-06-30 WPScan GHSA-w4vj-qmqh-q69w
8.8
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
6.1 MEDIUM

Unauthenticated remote upload but payload needs a victim to open it (UI:R); stored XSS executes in another security context (S:C) with limited confidentiality/integrity impact and no availability impact, unlike the inflated vendor C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 30, 2026 - 13:24 vuln.today
CVSS changed
Jun 30, 2026 - 13:22 NVD
8.8 (HIGH)
CVE Published
Jun 30, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 06:00 cve.org
HIGH 8.8

DescriptionCVE.org

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.

AnalysisAI

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach public ticket-upload endpoint
Delivery
Upload malicious SVG/HTML payload
Exploit
File stored at public URL
Execution
Admin/user opens attachment
Persist
JavaScript runs in victim session
Impact
Steal session or act as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires that the WP Support Plus Responsive Ticket System plugin (≤9.1.2) be installed and that its file-upload/attachment feature be reachable by unauthenticated users - the default ticket-submission path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a support ticket with an attached SVG or HTML file containing embedded JavaScript, which the plugin stores at a publicly accessible URL without sanitization. When a support agent or administrator opens the attachment (or the URL is shared/clicked), the script executes in their authenticated session, enabling session/cookie theft or actions performed as that privileged user. …
Remediation No vendor-released patch version was identified at time of analysis - no fixed release (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable or uninstall WP Support Plus Responsive Ticket System; if operationally critical, restrict web server access to the plugin's upload directory to authenticated users only (via .htaccess, Nginx, or WAF rules). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy