{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-9848","assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","state":"PUBLISHED","assignerShortName":"Wordfence","dateReserved":"2026-05-28T14:16:28.104Z","datePublished":"2026-06-13T02:29:03.120Z","dateUpdated":"2026-06-15T19:26:11.086Z"},"containers":{"cna":{"providerMetadata":{"orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence","dateUpdated":"2026-06-13T02:29:03.120Z"},"affected":[{"vendor":"emarket-design","product":"Customer Support Ticket System & Helpdesk","versions":[{"version":"0","status":"affected","lessThanOrEqual":"6.0.4","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` — already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped — and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database."}],"title":"WP Ticket <= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter","references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/98f16e3a-4ef3-43f9-86b2-2cf8e26f9c80?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L174"},{"url":"https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L164"},{"url":"https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/query-filters.php#L57"},{"url":"https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/filter-functions.php#L22"},{"url":"https://plugins.trac.wordpress.org/changeset/3565099/wp-ticket/trunk/includes/common-functions.php"},{"url":"https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-ticket/tags/6.0.4&new_path=%2Fwp-ticket/tags/6.0.5"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","cweId":"CWE-89","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH"}}],"credits":[{"lang":"en","type":"finder","value":"she11f"}],"timeline":[{"time":"2026-05-28T14:31:42.000Z","lang":"en","value":"Vendor Notified"},{"time":"2026-06-12T14:23:52.000Z","lang":"en","value":"Disclosed"}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-15T16:52:00.110434Z","id":"CVE-2026-9848","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-15T19:26:11.086Z"}}]}}