SQL Injection in WP Support Plus Responsive Ticket System

Executive Summary

The vulnerability CVE-2026-11590 affects the WordPress plugin "WP Support Plus Responsive Ticket System" versions 9.1.2 and earlier.

It is an unauthenticated SQL injection flaw caused by the plugin not properly sanitizing user-supplied array keys before using them in SQL queries.

This means attackers can manipulate database queries without needing to be authenticated.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on the affected WordPress plugin.

Such attacks can lead to unauthorized access, data manipulation, or data leakage from the website's database.

Because the vulnerability has a high severity rating with a CVSS score of 8.6, it poses a significant security risk.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability affects versions 9.1.2 and earlier of the WP Support Plus Responsive Ticket System plugin and allows unauthenticated SQL injection due to improper sanitization of user input.

Since no known fix is currently available, immediate mitigation steps include:

• Disable or deactivate the vulnerable plugin until a patch or update is released.
• Restrict access to the WordPress installation or plugin endpoints to trusted users or IP addresses.
• Monitor your system for unusual database activity or signs of exploitation.
• Keep backups of your site and database to enable recovery in case of compromise.

Useful 0 Not Useful 0