Impact
The vulnerability allows any unauthenticated user to gain elevated privileges within a WordPress site that has the Support Ticket Management System plugin installed. Due to improper privilege management (CWE‑266), an attacker can elevate a non‑admin role to full administrator levels, enabling the creation, modification, or deletion of content, data, and site settings. This compromise undermines the confidentiality, integrity, and availability of the website and any data processed by the plugin.
Affected Systems
WordPress sites running the Support Ticket Management System plugin from Theme Passion, versions 1.9 and earlier are affected. No other vendors or products are listed.
Risk and Exploitability
The issue has a CVSS score of 9.8, indicating critical severity. The EPSS score is not provided, and the vulnerability is not in the CISA KEV catalog. Attackers can exploit the flaw remotely through the plugin interface without authentication, making the risk high for any site that has not applied a fix.
OpenCVE Enrichment