{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-9848", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-05-28T14:16:28.104Z", "datePublished": "2026-06-13T02:29:03.120Z", "dateUpdated": "2026-06-15T19:26:11.086Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-06-13T02:29:03.120Z" }, "affected": [ { "vendor": "emarket-design", "product": "Customer Support Ticket System & Helpdesk", "versions": [ { "version": "0", "status": "affected", "lessThanOrEqual": "6.0.4", "versionType": "semver" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` — already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped — and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database." } ], "title": "WP Ticket <= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter", "references": [ { "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/98f16e3a-4ef3-43f9-86b2-2cf8e26f9c80?source=cve" }, { "url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L174" }, { "url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L164" }, { "url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/query-filters.php#L57" }, { "url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/filter-functions.php#L22" }, { "url": "https://plugins.trac.wordpress.org/changeset/3565099/wp-ticket/trunk/includes/common-functions.php" }, { "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-ticket/tags/6.0.4&new_path=%2Fwp-ticket/tags/6.0.5" } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE" } ] } ], "metrics": [ { "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH" } } ], "credits": [ { "lang": "en", "type": "finder", "value": "she11f" } ], "timeline": [ { "time": "2026-05-28T14:31:42.000Z", "lang": "en", "value": "Vendor Notified" }, { "time": "2026-06-12T14:23:52.000Z", "lang": "en", "value": "Disclosed" } ] }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-15T16:52:00.110434Z", "id": "CVE-2026-9848", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T19:26:11.086Z" } } ] } }