CVE-2026-13262 in Majestic Support Plugin
Summary
by MITRE • 07/11/2026
The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a valid 'get-smart-reply' nonce, which any Subscriber-level user can obtain by creating a ticket via the public frontend and visiting the resulting ticket detail page, making this effectively exploitable by any authenticated user.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/11/2026
The Majestic Support WordPress plugin presents a critical security vulnerability classified as generic SQL Injection affecting versions up to and including 1.1.9. This vulnerability stems from inadequate input sanitization practices within the plugin's codebase, specifically in how it handles the 'val' parameter within its database query operations. The flaw manifests when user-supplied data is directly incorporated into SQL statements without proper escaping mechanisms or parameterized query preparation techniques. According to CWE-89, this represents a classic SQL injection vulnerability where malicious input can manipulate existing database queries to execute unauthorized commands.
The exploitation pathway for this vulnerability is particularly concerning due to its accessibility requirements. While the attack does require a valid 'get-smart-reply' nonce, this credential can be obtained by any subscriber-level user through legitimate plugin functionality. Attackers need only create a ticket via the public frontend interface and then navigate to the resulting ticket detail page to acquire the necessary nonce value. This effectively lowers the barrier to exploitation from unauthenticated attackers to any authenticated user with subscriber privileges, making the vulnerability particularly dangerous in multi-user environments where users may have elevated access levels.
The operational impact of this vulnerability extends beyond simple data extraction capabilities. Successful exploitation allows attackers to append additional SQL queries to existing database operations, potentially enabling them to extract sensitive information including user credentials, personal data, and administrative details stored within the WordPress database. This type of attack aligns with ATT&CK technique T1213.002 for Data from Databases, where adversaries target database systems to obtain valuable information assets. The vulnerability's scope includes potential disclosure of user accounts, support ticket contents, and any other data stored in the plugin's database tables.
Mitigation strategies should prioritize immediate patching of affected versions to address the core SQL injection flaw through proper input validation and parameterized query implementation. Administrators should implement network-level protections including firewall rules to restrict access to plugin endpoints where possible. Additionally, regular security audits of WordPress plugins should include verification of input sanitization practices and proper database query construction methods. The vulnerability demonstrates the importance of following secure coding practices as outlined in OWASP Top 10 and NIST guidelines for preventing SQL injection attacks through proper parameterization and input validation controls at all levels of application development.