CVE-2026-11589

Received Received - Intake

Stored XSS via Malicious File Upload in WP Support Plus Responsive Ticket System

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: WPScan

Description

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-30

Last Modified

2026-06-30

Generated

2026-06-30

AI Q&A

2026-06-30

EPSS Evaluated

N/A

NVD

CVE-2026-11589

EUVD

EUVD-2026-40262

Affected Vendors & Products

Vendor	Product	Version / Range
wp_support_plus	responsive_ticket_system	to 9.1.2 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-UNKNOWN

Attack-Flow Graph

Executive Summary

The vulnerability CVE-2026-11589 affects the WordPress plugin WP Support Plus Responsive Ticket System versions 9.1.2 and earlier.

It allows unauthenticated attackers to upload files containing malicious JavaScript, such as HTML or SVG files, without proper validation.

These files are stored in a publicly accessible location, which enables Stored Cross-Site Scripting (XSS) attacks against site users and administrators.

Impact Analysis

This vulnerability can lead to Stored Cross-Site Scripting (XSS) attacks, which may allow attackers to execute malicious scripts in the browsers of site users and administrators.

Such attacks can result in theft of sensitive information, session hijacking, defacement of the website, or unauthorized actions performed on behalf of legitimate users.

Since the vulnerability allows unauthenticated users to upload malicious files, it increases the risk of exploitation without requiring any prior access.

Mitigation Strategies

The vulnerability allows unauthenticated users to upload malicious JavaScript files to a publicly accessible location, leading to Stored Cross-Site Scripting attacks.

Since no known fix is currently available, immediate mitigation steps include restricting file upload permissions, disabling file uploads if possible, and monitoring for suspicious uploaded files.

Additionally, consider implementing web application firewall (WAF) rules to block malicious file uploads and scanning the upload directories regularly for unexpected file types such as HTML or SVG.

Hi! I’m here to help you understand CVE-2026-11589. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

Stored XSS via Malicious File Upload in WP Support Plus Responsive Ticket System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart