CVE-2026-9848 HIGH

CVE-2026-9848: WP Ticket <= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter

Vendor Emarket-Design
Product Customer Support Ticket System & Helpdesk
Weakness CWE-89 · SQLi
Published June 13, 2026
Last update June 15, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` — already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped — and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database.

Explanation of Vulnerability in Simple Terms

02Summary

The Customer Support Ticket System & Helpdesk contains a SQL injection vulnerability in versions up to 6.0.4. An attacker on the network can craft malicious input to read sensitive data from the database without authentication. No user interaction is required. Update to a version newer than 6.0.4 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the site's database, including customer information and internal records.

Potential impact on your site

04Site Impact

Customer data, support tickets, and other database records can be exposed to unauthorized access.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 13, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

08Related CVE