CVE-2026-11875 in WP Support Plus Responsive Ticket System Plugininfo

Summary

by MITRE • 07/09/2026

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sign or verify its guest-session cookie, allowing unauthenticated attackers to forge it and impersonate any ticket owner (identified by email address) to read, reply to, and close that person's support tickets.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The WP Support Plus Responsive Ticket System plugin presents a critical authentication bypass vulnerability through its improper handling of guest-session cookies. This flaw affects versions up to 9.1.2 and stems from the absence of cryptographic signing or verification mechanisms for session data. The vulnerability allows unauthenticated attackers to craft malicious cookies that appear legitimate to the system, enabling them to assume the identity of any ticket owner based on their email address. This represents a fundamental failure in session management practices that violates core security principles.

The technical implementation of this vulnerability occurs at the cookie validation layer where the plugin accepts guest-session cookies without performing cryptographic verification. The lack of signature validation creates an attack surface where attackers can manipulate cookie contents to impersonate legitimate users. According to CWE-613, this represents an insufficient session management weakness that allows attackers to maintain access after authentication has ended. The vulnerability specifically targets the guest ticketing functionality, which relies on email addresses as identifiers for ticket ownership rather than implementing proper authentication tokens or session handling mechanisms.

Operationally, this vulnerability enables attackers to gain unauthorized access to sensitive customer support data including ticket content, correspondence history, and communication threads. The impact extends beyond mere information disclosure as attackers can actively manipulate support tickets by replying to them, closing legitimate requests, or creating false resolutions. This compromises the integrity of the support system and potentially exposes confidential customer information that may contain personal data, business-sensitive communications, or proprietary information. The ATT&CK framework categorizes this as privilege escalation through credential manipulation, where attackers exploit weak session management to gain elevated access rights without proper authentication.

The mitigation strategy requires implementing cryptographic signing for all guest-session cookies using industry-standard approaches such as HMAC-SHA256 or similar secure hash algorithms. The plugin must validate cookie signatures before accepting them as legitimate and reject any modified or forged session data. Additionally, implementing proper session timeout mechanisms, enforcing secure cookie attributes including HttpOnly and Secure flags, and utilizing unique identifiers for each session rather than relying solely on email-based identification will significantly reduce the attack surface. Organizations should also consider implementing rate limiting and monitoring for unusual ticket access patterns to detect potential exploitation attempts. The vulnerability demonstrates the critical importance of proper session management practices as outlined in OWASP Top Ten category a07: Identification and Authentication Failures, emphasizing that all session data must be properly validated and authenticated before being accepted by the application.

Responsible

WPScan

Reservation

06/10/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!