CVE-2026-11875
Received Received - Intake

WP Support Plus Responsive Ticket System Session Cookie Spoofing

Vulnerability report for CVE-2026-11875, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: WPScan

Description

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sign or verify its guest-session cookie, allowing unauthenticated attackers to forge it and impersonate any ticket owner (identified by email address) to read, reply to, and close that person's support tickets.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_support_plus responsive_ticket_system to 9.1.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can have serious impacts as it allows attackers to impersonate legitimate users and gain unauthorized access to their support tickets.

  • Attackers can read sensitive information contained in support tickets.
  • Attackers can reply to tickets, potentially misleading support staff or the ticket owner.
  • Attackers can close tickets, disrupting legitimate support processes.

Overall, this can lead to data breaches, loss of trust, and disruption of customer support services.

Detection Guidance

This vulnerability involves the WP Support Plus Responsive Ticket System plugin failing to sign or verify its guest-session cookie, allowing attackers to forge it and impersonate ticket owners.

Detection would involve monitoring for suspicious or forged guest-session cookies associated with the plugin, especially cookies that allow access to tickets without proper authentication.

Since the attack exploits AJAX endpoints and nonces, inspecting HTTP requests to these endpoints for unusual cookie values or unauthorized ticket access attempts may help detect exploitation.

No specific detection commands are provided in the available resources.

Executive Summary

The vulnerability CVE-2026-11875 affects the WP Support Plus Responsive Ticket System WordPress plugin up to version 9.1.2. It is an Insecure Direct Object Reference (IDOR) vulnerability caused by the plugin's failure to sign or verify its guest-session cookie.

This flaw allows unauthenticated attackers to forge the guest-session cookie and impersonate any ticket owner by knowing or guessing their email address.

By exploiting this, an attacker can read, reply to, and close support tickets belonging to the victim without needing to authenticate.

Mitigation Strategies

There is currently no known fix for this vulnerability.

Immediate mitigation steps would include restricting access to the affected plugin's AJAX endpoints, monitoring and blocking suspicious guest-session cookies, and limiting exposure of ticket information.

Consider disabling or removing the WP Support Plus Responsive Ticket System plugin until a patch or update is released.

Compliance Impact

The vulnerability allows unauthenticated attackers to impersonate any ticket owner by forging a guest-session cookie, enabling them to read, reply to, and close support tickets belonging to that user.

This unauthorized access to potentially sensitive user support ticket data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on personal and sensitive information to prevent unauthorized disclosure or modification.

Specifically, the failure to properly sign or verify session cookies constitutes broken access control, increasing the risk of data breaches and non-compliance with standards mandating confidentiality and integrity of user data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart