CVE-2026-11589
WP Support Plus Responsive Ticket System <= 9.1.2 - Unauthenticated Stored XSS via File Upload
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.8EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
30 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Unknown · WP Support Plus Responsive Ticket Systempublic PoCs found — 1
cve_referencewpscan.com/vulnerability/c46479c2-4eef-485f-ae98-1f487efa4263/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.