CVE-2018-1000131
CRITICALWP Support Plus Responsive Ticket System < 9.0.2 - Unauthenticated SQL Injection via Email Cookie Parameter
Title source: llmDescription
Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9041
Exploit, Third Party Advisory x_refsource_misc
https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
Release Notes, Third Party Advisory x_refsource_confirm
https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/#developers
Scores
CVSS v3
9.8
EPSS
0.0213
EPSS Percentile
79.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
wpsupportplus/wp_support_plus_responsive_ticket_system
< 9.0.2
Published
Mar 14, 2018
Tracked Since
Feb 18, 2026