CVE-2018-1000131
CRITICALWpsupportplus WP Support Plus Responsive Ticket System < 9.0.2 - SQL Injection
Title source: ruleDescription
Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9041
Exploit, Third Party Advisory x_refsource_misc
https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
Release Notes, Third Party Advisory x_refsource_confirm
https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/#developers
Scores
CVSS v3
9.8
EPSS
0.0076
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
wpsupportplus/wp_support_plus_responsive_ticket_system
< 9.0.2
Published
Mar 14, 2018
Tracked Since
Feb 18, 2026