Skip to main content

Wp Support Plus Responsive Ticket System

6 CVEs product

Monthly

CVE-2026-11875 MEDIUM POC This Month

Cookie forgery in WP Support Plus Responsive Ticket System (WordPress plugin ≤9.1.2) allows unauthenticated network attackers to impersonate any guest ticket owner by crafting an unsigned guest-session cookie containing the victim's email address, then reading, replying to, and closing that user's support tickets. The plugin fails to sign or verify its guest-session cookie, making the trust boundary between guest sessions trivially bypassable. A publicly available proof-of-concept exists per WPScan; EPSS is low at 0.14% (3rd percentile), suggesting limited observed exploitation despite automation feasibility confirmed by SSVC.

WordPress Information Disclosure Wp Support Plus Responsive Ticket System
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-11590 HIGH POC This Week

Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. Publicly available exploit code exists, though EPSS rates exploitation probability low (0.18%, 7th percentile) and it is not on CISA KEV.

WordPress SQLi Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-11589 HIGH POC This Week

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided.

WordPress XSS Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2019-15331 MEDIUM This Month

The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for WordPress has HTML injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Wp Support Plus Responsive Ticket System
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2019-7299 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the submit_ticket.php module in the WP Support Plus Responsive Ticket System plugin 9.1.1 for WordPress allows remote attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress PHP Wp Support Plus Responsive Ticket System
NVD
CVSS 3.0
6.1
EPSS
1.7%
CVE-2018-1000131 CRITICAL POC Act Now

Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Wp Support Plus Responsive Ticket System
NVD GitHub
CVSS 3.0
9.8
EPSS
2.1%
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Cookie forgery in WP Support Plus Responsive Ticket System (WordPress plugin ≤9.1.2) allows unauthenticated network attackers to impersonate any guest ticket owner by crafting an unsigned guest-session cookie containing the victim's email address, then reading, replying to, and closing that user's support tickets. The plugin fails to sign or verify its guest-session cookie, making the trust boundary between guest sessions trivially bypassable. A publicly available proof-of-concept exists per WPScan; EPSS is low at 0.14% (3rd percentile), suggesting limited observed exploitation despite automation feasibility confirmed by SSVC.

WordPress Information Disclosure Wp Support Plus Responsive Ticket System
NVD WPScan
EPSS 0% CVSS 8.6
HIGH POC This Week

Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. Publicly available exploit code exists, though EPSS rates exploitation probability low (0.18%, 7th percentile) and it is not on CISA KEV.

WordPress SQLi Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided.

WordPress XSS Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
EPSS 1% CVSS 6.1
MEDIUM This Month

The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for WordPress has HTML injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Wp Support Plus Responsive Ticket System
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the submit_ticket.php module in the WP Support Plus Responsive Ticket System plugin 9.1.1 for WordPress allows remote attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress PHP +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Wp Support Plus Responsive Ticket System
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy