CVE-2026-11590 PUBLISHED

WP Support Plus Responsive Ticket System <= 9.1.2 - Unauthenticated SQL Injection via filter[elements] Array Keys

Assigner: WPScan
Reserved: 08.06.2026 Published: 30.06.2026 Updated: 30.06.2026

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.

Product Status

Vendor	Unknown
Product	WP Support Plus Responsive Ticket System
Versions	Default: unknown affected from 0 to 9.1.2 (incl.)

Credits

Ayush Srivastava finder
WPScan coordinator

References

https://wpscan.com/vulnerability/117853ca-0fd3-4bfa-ad60-799eb5c77bdf/

Problem Types

CWE-89 SQL Injection CWE