The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (s) in versions up to, and including, 6.0.4 The plugin hooks WordPress's posts_request filter with wp_ticket_com_posts_request(), which calls emd_author_search_results() when the current request is an unauthenticated front-end search. That function reads $query->query_vars['s'] — already wp_unslash()'d by WP_Query::parse_query(), so wp_magic_quotes protection has been stripped — and concatenates the raw value into a SQL LIKE clause inside a UNION sub-SELECT appended to the main query, with no $wpdb->prepare() or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database.