ZeroPath at Black Hat USA 2026

WP Ticket Plugin CVE-2026-9848: Brief Summary of an Unauthenticated SQL Injection via WordPress Search

A brief summary of CVE-2026-9848, an unauthenticated SQL injection in the WP Ticket WordPress plugin that allows attackers to extract database contents through the standard search parameter without any authentication.

CVE Analysis

9 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-12

WP Ticket Plugin CVE-2026-9848: Brief Summary of an Unauthenticated SQL Injection via WordPress Search
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated SQL injection in the WP Ticket WordPress plugin allows any remote attacker to extract sensitive database contents simply by submitting a crafted search query on the site's front end. The vulnerability, tracked as CVE-2026-9848 with a CVSS score of 7.5, requires no authentication, no privileges, and no user interaction, making it trivially exploitable against any WordPress site running WP Ticket versions 6.0.4 and earlier.

WP Ticket, officially titled "Customer Support Ticket System & Helpdesk," is a WordPress plugin developed by eMarket Design LLC that provides a customer support ticket management system integrated into WordPress. The plugin has approximately 400+ active installations and has been available on the WordPress.org repository since December 2014. While its installation base is modest, eMarket Design markets its products as enterprise grade solutions for business applications built on WordPress.

Technical Information

Root Cause: wp_unslash() Stripping Magic Quotes Before Unsafe SQL Concatenation

The core of this vulnerability lies in a subtle but well documented interaction between WordPress core's input handling and the WP Ticket plugin's failure to use parameterized queries. Understanding the full chain requires tracing how user input flows from the HTTP request to the SQL query.

WordPress automatically applies wp_magic_quotes() to superglobal data ($_GET, $_POST, $_REQUEST, $_COOKIE) early in the request lifecycle. This function adds backslash escaping to quotes, providing a baseline layer of protection. However, when WP_Query::parse_query() processes the search parameter s, it calls wp_unslash() on the value, stripping those protective backslashes before storing the result in $query->query_vars['s']. This behavior is explicitly documented in the Wordfence SQL injection research guide as a known pitfall for plugin developers.

The Vulnerable Code Path

The attack chain follows four steps through the plugin's filter hooks:

Step 1: Filter Registration. The plugin hooks WordPress's posts_request filter via wp_ticket_com_posts_request(), defined in filter-functions.php at line 22. This filter fires whenever WordPress constructs a SQL query for posts.

Step 2: Request Interception. When the current request is an unauthenticated front end search, wp_ticket_com_posts_request() calls emd_author_search_results(), defined in common-functions.php at lines 164 and 174. The connection through the filter chain is established via query-filters.php at line 57.

Step 3: Unsafe Input Retrieval. The emd_author_search_results() function reads $query->query_vars['s']. As described above, this value has already been processed by wp_unslash(), meaning the wp_magic_quotes() protection has been stripped. The raw, unescaped user input is now available to the plugin.

Step 4: Direct SQL Concatenation. The function concatenates this raw value directly into a SQL LIKE clause inside a UNION sub-SELECT that is appended to the main WordPress query. No $wpdb->prepare(), no esc_sql(), and no other escaping mechanism is applied.

Exploitation Flow

An attacker exploits this vulnerability through the following steps:

  1. The attacker identifies a WordPress site running WP Ticket version 6.0.4 or earlier. The plugin's presence can often be detected through front end markup or by probing for known plugin endpoints.

  2. The attacker sends a standard HTTP GET request to the WordPress search endpoint (typically /?s=) with a crafted value in the s parameter containing SQL syntax.

  3. Because the search value is concatenated into a LIKE clause within a UNION sub-SELECT, the attacker can terminate the LIKE clause using a single quote and inject additional SQL statements.

  4. Using UNION SELECT injection, the attacker can query arbitrary tables in the WordPress database, extracting user password hashes, email addresses, authentication tokens, site configuration data, and any other stored information.

  5. If direct output is not visible in the search results page, the attacker can fall back to blind SQL injection techniques: boolean-based (observing differences in response content based on true/false conditions) or time-based (using SLEEP() or BENCHMARK() to infer data from response timing).

The entire attack requires only a web browser or a simple HTTP client. No authentication, no CSRF token, and no user interaction are needed.

CVSS Breakdown

The CVSS v3.1 score of 7.5 (assessed by Wordfence as CNA) breaks down as follows:

MetricValueMeaning
Attack VectorNetworkExploitable remotely over the internet
Attack ComplexityLowNo specialized conditions required
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo victim action required
ScopeUnchangedImpact confined to vulnerable component
ConfidentialityHighFull database information disclosure possible
IntegrityNoneNo direct data modification via this vector
AvailabilityNoneNo direct denial of service impact

The NVD's own CVSS assessment was still pending at the time of this writing, with only the Wordfence CNA assessment available.

The Fix

Changeset 3565099 in version 6.0.5 replaces the direct variable concatenation with $wpdb->prepare() parameterized statements, using proper placeholders so that user-supplied values are automatically escaped before being incorporated into the SQL query.

Affected Systems and Versions

The vulnerability affects the WP Ticket plugin (slug: wp-ticket, full title: "Customer Support Ticket System & Helpdesk") for WordPress in all versions up to and including 6.0.4.

Version 6.0.5, released on June 8, 2026, contains the fix. The plugin requires WordPress version 4.5 or higher and has been tested up to WordPress 7.0. PHP 8 compatibility was tested as of version 5.11.0.

Any WordPress site running WP Ticket 6.0.4 or earlier with the front end search functionality accessible to unauthenticated users is vulnerable.

Vendor Security History

eMarket Design LLC's WP Ticket plugin has accumulated a notable track record of security issues. The Wordfence WordPress Plugin Vulnerability Database lists 8 total vulnerabilities for this plugin. The changelog on the WordPress.org plugin page reveals the following pattern of security fixes:

VersionSecurity Fix
6.0.5Unauthenticated SQL Injection via search 's' parameter (CVE-2026-9848)
6.0.3XSS vulnerability fix
6.0.1XSS vulnerability fix
5.13XSS vulnerability fix
5.6.0XSS vulnerability fix
5.1.0WP Sessions security vulnerability fix

This pattern of recurring security defects spanning multiple vulnerability classes (XSS, session security, and now SQL injection) suggests a systemic gap in secure coding practices within the development process. The specific failure to use $wpdb->prepare() in a function that processes unauthenticated user input is a fundamental secure coding error. Organizations relying on this plugin should factor the vendor's security posture into their risk assessment.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization