CVE-2026-11589
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
The WP Support Plus Responsive Ticket System WordPress plugin through version 9.1.2 fails to properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.
Risk Assessment
An attacker can inject a persistent script that executes in the browsers of site visitors, potentially leading to session theft, administrator account takeover, or malware distribution.
Recommendation
Immediately update the WP Support Plus Responsive Ticket System plugin to the latest available version or remove it if not essential, and implement file type validation and antivirus scanning for uploaded files.
Original NVD description (English source)
The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.

