CVE-2026-11875 PUBLISHED

WP Support Plus Responsive Ticket System <= 9.1.2 - Unauthenticated Support Ticket Access via Session Cookie Forgery

Assigner: WPScan
Reserved: 10.06.2026 Published: 09.07.2026 Updated: 09.07.2026

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sign or verify its guest-session cookie, allowing unauthenticated attackers to forge it and impersonate any ticket owner (identified by email address) to read, reply to, and close that person's support tickets.

Product Status

Vendor Unknown
Product WP Support Plus Responsive Ticket System
Versions Default: unknown
  • affected from 0 to 9.1.2 (incl.)

Credits

  • Kartik sharma finder
  • WPScan coordinator

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE