CVE-2026-9848

The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` — already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped — and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L164
https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L174
https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/filter-functions.php#L22
https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/query-filters.php#L57
https://plugins.trac.wordpress.org/changeset/3565099/wp-ticket/trunk/includes/common-functions.php
https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-ticket/tags/6.0.4&new_path=%2Fwp-ticket/tags/6.0.5
https://www.wordfence.com/threat-intel/vulnerabilities/id/98f16e3a-4ef3-43f9-86b2-2cf8e26f9c80?source=cve

Configurations

No configuration.

History

13 Jun 2026, 03:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-13 03:16

Updated : 2026-06-15 20:42

NVD link : CVE-2026-9848

Mitre link : CVE-2026-9848

CVE.ORG link : CVE-2026-9848

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-9848", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-06-13T03:16:22.017", "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L164", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L174", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/filter-functions.php#L22", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/query-filters.php#L57", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3565099/wp-ticket/trunk/includes/common-functions.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-ticket/tags/6.0.4&new_path=%2Fwp-ticket/tags/6.0.5", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/98f16e3a-4ef3-43f9-86b2-2cf8e26f9c80?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` \u2014 already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped \u2014 and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database."}], "lastModified": "2026-06-15T20:42:32.707", "sourceIdentifier": "security@wordfence.com"}