CVE-2026-9848
Received Received - Intake
SQL Injection in WP Ticket WordPress Plugin

Publication date: 2026-06-13

Last updated on: 2026-06-13

Assigner: Wordfence

Description
The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` β€” already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped β€” and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-13
Last Modified
2026-06-13
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-9848
EUVD
EUVD-2026-36636
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_ticket wp_ticket to 6.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow unauthenticated attackers to perform SQL Injection attacks, which can lead to unauthorized extraction of sensitive information from the database. Since the vulnerability has a CVSS base score of 7.5 with high confidentiality impact, it means attackers can access confidential data without any privileges or user interaction.

Executive Summary

The WP Ticket plugin for WordPress has a SQL Injection vulnerability in versions up to and including 6.0.4. This occurs via the WordPress search query parameter (`s`). The plugin uses the `posts_request` filter and calls a function that reads the search parameter without proper escaping or preparation. Because the input is concatenated directly into a SQL LIKE clause inside a UNION sub-SELECT, unauthenticated attackers can inject additional SQL queries. This allows them to extract sensitive information from the database.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart