WordPress Plugin Vulnerabilities

WP Support Plus Responsive Ticket System <= 9.1.2 - Unauthenticated SQL Injection via filter[elements] Array Keys

Description

The plugin does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.

Proof of Concept

Affects Plugins

Plugin icon
wp-support-plus-responsive-ticket-system
No known fix

References

CVE
CVE-2026-11590

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Ayush Srivastava
Submitter
Ayush Srivastava
Verified
Yes
WPVDB ID
117853ca-0fd3-4bfa-ad60-799eb5c77bdf

Timeline

Publicly Published
2026-06-09 (about 21 days ago)
Added
2026-06-09 (about 20 days ago)
Last Updated
2026-06-29 (about 10 hours ago)

Other

Published
Title
Published
2025-03-04
Title
WP-Recall < 16.26.12 - Admin+ SQL Injection
Published
2022-10-03
Title
Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi
Published
2026-01-27
Title
VidShop – Shoppable Videos for WooCommerce < 1.1.5 - Unauthenticated Time-Based SQL Injection via 'fields'
Published
2023-02-27
Title
Slimstat Analytics < 4.9.3.3 - Subscriber+ SQL Injection
Published
2020-07-02
Title
Payment Form For Paypal Pro < 1.1.65 - Unauthenticated SQL Injection