CVE-2026-9848
Description
Unauthenticated SQL injection in WP Ticket plugin ≤6.0.4 via search parameter allows attackers to extract database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in WP Ticket plugin ≤6.0.4 via search parameter allows attackers to extract database contents.
Vulnerability
The WP Ticket plugin for WordPress versions up to and including 6.0.4 contains an unauthenticated SQL injection vulnerability in the search functionality. The plugin hooks WordPress's posts_request filter with wp_ticket_com_posts_request(), which calls emd_author_search_results() when the current request is an unauthenticated front-end search [1][2][3]. That function reads $query->query_vars['s'] — already wp_unslash()'d by WP_Query::parse_query(), so wp_magic_quotes protection has been stripped — and concatenates the raw value into a SQL LIKE clause inside a UNION sub-SELECT appended to the main query, with no $wpdb->prepare() or escaping [1][2][3].
Exploitation
An unauthenticated attacker can exploit this by sending a crafted HTTP request to a WordPress front-end search page that triggers the WP Ticket plugin's search handler. The attacker supplies a malicious value in the s query parameter. Because the value is directly concatenated into a SQL LIKE clause without sanitization, the attacker can inject arbitrary SQL commands, typically using a UNION-based payload to retrieve data from other database tables [1][2][3]. No authentication or special privileges are required; the only condition is that the site has the WP Ticket plugin active and the search functionality is exposed (which is the default behavior).
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the WordPress database. This can lead to the extraction of sensitive information, such as user credentials (usernames and password hashes), private posts, and other confidential data stored in the database [1][2][3]. The attacker gains the ability to read any data accessible to the WordPress database user, potentially compromising the entire site.
Mitigation
The vulnerability has been fixed in version 6.0.5 of the WP Ticket plugin, released on 2026-06-08 [4]. Users should update to version 6.0.5 or later immediately. No workaround is available for older versions; the only effective mitigation is to apply the patch [4].
- https://plugins.trac.wordpress.org/changeset/3565099/wp-ticket/trunk/includes/common-functions.php
- https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L164
- https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L174
- Customer Support Ticket System & Helpdesk
AI Insight generated on Jun 13, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=6.0.4+ 1 more
- (no CPE)range: <=6.0.4
- (no CPE)range: <=6.0.4
Patches
1r3565099Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.phpnvd
- plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.phpnvd
- plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/filter-functions.phpnvd
- plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/query-filters.phpnvd
- plugins.trac.wordpress.org/changeset/3565099/wp-ticket/trunk/includes/common-functions.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/98f16e3a-4ef3-43f9-86b2-2cf8e26f9c80nvd
News mentions
0No linked articles in our index yet.