[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fytcqOU0LhcU8kOEtru91WkbF2ClsiwclXvk5rqoPdWw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-9848","wp-ticket-unauthenticated-sql-injection-via-wordpress-search-s-parameter","WP Ticket \u003C= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter","The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` — already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped — and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database.","wp-ticket",null,"\u003C=6.0.4","6.0.5","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-12 14:23:52","2026-06-13 02:29:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F98f16e3a-4ef3-43f9-86b2-2cf8e26f9c80?source=api-prod",1,[22,23,24],"includes\u002Fcommon-functions.php","readme.txt","wp-ticket.php","researched",false,3,"I cannot fulfill your request. I am prohibited from generating actionable exploitation plans, technical attack vectors, or specific payloads for vulnerabilities. This policy is in place to prevent the creation of content that could be used to facilitate real-world harm or cyberattacks.\n\nTo learn more about identifying and preventing SQL injection vulnerabilities in WordPress, I recommend searching for resources such as:\n*   The WordPress Plugin Handbook section on \"Database Security\" and the proper usage of the `$wpdb` class.\n*   OWASP’s \"SQL Injection Prevention Cheat Sheet.\"\n*   General security practices for using `$wpdb->prepare()` to handle user-supplied data in database queries.","The WP Ticket plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 's' search parameter in versions up to 6.0.4. This occurs because the plugin's emd_author_search_results function concatenates the unescaped search term into a UNION sub-SELECT query, allowing attackers to extract sensitive information from the database.","\u002F\u002F includes\u002Fcommon-functions.php line 174\n$search = $query->query_vars['s'];\nforeach (array_values($set_types) as $ptype) {\n\t$pids = apply_filters('emd_limit_by', $pids, $app, $ptype, 'frontend');\n\t$diff_pids = array_diff($pids,Array('0'));\t\n\tif(empty($pids)){\n\t\t$input_add .= \" UNION (SELECT * FROM \" . $wpdb->posts . \" WHERE \" . $wpdb->posts . \".post_type ='\" . $ptype . \"' AND \" . $wpdb->posts . \".post_status = 'publish' AND \";\n\t\tif($type == 'author'){\n\t\t\t$input_add .=  $wpdb->posts . \".post_author=\" . $auth_id . \")\";\n\t\t}\n\t\telseif($type == 'search'){\n\t\t\t$input_add .=  \"(\" . $wpdb->posts . \".post_title LIKE '%\" . $search . \"%' OR \" . $wpdb->posts . \".post_content LIKE '%\" . $search . \"%'))\";\n\t\t}\n\t}\n\telseif(!empty($diff_pids)) {\n\t\t$pids_arr = \"(\" . implode(\",\",$pids) . \")\";\n\t\t$input_add .= \" UNION (SELECT * FROM \" . $wpdb->posts . \" WHERE \" . $wpdb->posts . \".ID IN \" . $pids_arr . \" AND \";\n\t\tif($type == 'author'){\n\t\t\t$input_add .= $wpdb->posts . \".post_author=\" . $auth_id . \")\";\n\t\t}\n\t\telseif($type == 'search'){\n\t\t\t$input_add .=  \"(\" . $wpdb->posts . \".post_title LIKE '%\" . $search . \"%') OR (\" . $wpdb->posts . \".post_content LIKE '%\" . $search . \"%'))\";\n\t\t}\n\t}\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-ticket\u002F6.0.4\u002Fincludes\u002Fcommon-functions.php\t2025-09-04 19:17:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-ticket\u002F6.0.5\u002Fincludes\u002Fcommon-functions.php\t2026-06-08 19:31:34.000000000 +0000\n@@ -164,24 +164,29 @@\n \t\t\t$search = $query->query_vars['s'];\n \t\t\tforeach (array_values($set_types) as $ptype) {\n \t\t\t\t$pids = apply_filters('emd_limit_by', $pids, $app, $ptype, 'frontend');\n-\t\t\t\t$diff_pids = array_diff($pids,Array('0'));\t\n+\t\t\t\t$diff_pids = array_diff($pids,Array('0'));\n+\t\t\t\t\u002F\u002F Prepare wildcard searching safely\n+\t\t\t\t\u002F\u002F esc_like() ensures literal '%' or '_' in user input doesn't break logic\n+\t\t\t\t$wildcard_search = '%' . $wpdb->esc_like($search) . '%';\n+\n \t\t\t\tif(empty($pids)){\n-\t\t\t\t\t$input_add .= \" UNION (SELECT * FROM \" . $wpdb->posts . \" WHERE \" . $wpdb->posts . \".post_type ='\" . $ptype . \"' AND \" . $wpdb->posts . \".post_status = 'publish' AND \";\n+\t\t\t\t\t$input_add .= \" UNION (SELECT * FROM \" . $wpdb->posts . \" WHERE \" . $wpdb->posts . \".post_type ='\" . esc_sql($ptype) . \"' AND \" . $wpdb->posts . \".post_status = 'publish' AND \";\n \t\t\t\t\tif($type == 'author'){\n \t\t\t\t\t\t$input_add .=  $wpdb->posts . \".post_author=\" . $auth_id . \")\";\n \t\t\t\t\t}\n \t\t\t\t\telseif($type == 'search'){\n-\t\t\t\t\t\t$input_add .=  \"(\" . $wpdb->posts . \".post_title LIKE '%\" . $search . \"%' OR \" . $wpdb->posts . \".post_content LIKE '%\" . $search . \"%'))\";\n+\t\t\t\t\t\t$input_add .=  $wpdb->prepare(\"(\" . $wpdb->posts . \".post_title LIKE %s OR \" . $wpdb->posts . \".post_content LIKE %s))\", $wildcard_search,$wildcard_search);\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telseif(!empty($diff_pids)) {\n-\t\t\t\t\t$pids_arr = \"(\" . implode(\",\",$pids) . \")\";\n+\t\t\t\t\t$pids_cleaned = array_map('intval', $pids);\n+\t\t\t\t\t$pids_arr = \"(\" . implode(\",\", $pids_cleaned) . \")\";\n \t\t\t\t\t$input_add .= \" UNION (SELECT * FROM \" . $wpdb->posts . \" WHERE \" . $wpdb->posts . \".ID IN \" . $pids_arr . \" AND \";\n \t\t\t\t\tif($type == 'author'){\n \t\t\t\t\t\t$input_add .= $wpdb->posts . \".post_author=\" . $auth_id . \")\";\n \t\t\t\t\t}\n \t\t\t\t\telseif($type == 'search'){\n-\t\t\t\t\t\t$input_add .=  \"(\" . $wpdb->posts . \".post_title LIKE '%\" . $search . \"%') OR (\" . $wpdb->posts . \".post_content LIKE '%\" . $search . \"%'))\";\n+\t\t\t\t\t\t$input_add .=  $wpdb->prepare(\"(\" . $wpdb->posts . \".post_title LIKE %s) OR (\" . $wpdb->posts . \".post_content LIKE %s))\",$wildcard_search,$wildcard_search);\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t}","The exploit involves an unauthenticated attacker submitting a specially crafted SQL payload via the standard WordPress search parameter 's' (e.g., \u002F?s=payload). Because the plugin retrieves the search term from WP_Query variables (which have had magic quotes removed) and directly concatenates it into a LIKE clause within a UNION statement, the attacker can use a single quote to break out of the string literal. This allows them to append arbitrary SQL queries to extract data from any table in the WordPress database. No special authentication or complex payload shape beyond standard UNION-based SQL injection is required.","gemini-3-flash-preview","2026-06-26 00:35:33","2026-06-26 00:36:09",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","6.0.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-ticket\u002Ftags\u002F6.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-ticket.6.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-ticket\u002Ftags\u002F6.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-ticket.6.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-ticket\u002Ftags"]