CVE Catalog

CVE-2026-11589

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

The WP Support Plus Responsive Ticket System WordPress plugin through version 9.1.2 fails to properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.

Risk Assessment

An attacker can inject a persistent script that executes in the browsers of site visitors, potentially leading to session theft, administrator account takeover, or malware distribution.

Recommendation

Immediately update the WP Support Plus Responsive Ticket System plugin to the latest available version or remove it if not essential, and implement file type validation and antivirus scanning for uploaded files.

Original NVD description (English source)

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS