Description
Unauthenticated Privilege Escalation in Support Ticket Management System <= 1.9 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows any unauthenticated user to gain elevated privileges within a WordPress site that has the Support Ticket Management System plugin installed. Due to improper privilege management (CWE‑266), an attacker can elevate a non‑admin role to full administrator levels, enabling the creation, modification, or deletion of content, data, and site settings. This compromise undermines the confidentiality, integrity, and availability of the website and any data processed by the plugin.

Affected Systems

WordPress sites running the Support Ticket Management System plugin from Theme Passion, versions 1.9 and earlier are affected. No other vendors or products are listed.

Risk and Exploitability

The issue has a CVSS score of 9.8, indicating critical severity. The EPSS score is not provided, and the vulnerability is not in the CISA KEV catalog. Attackers can exploit the flaw remotely through the plugin interface without authentication, making the risk high for any site that has not applied a fix.

Generated by OpenCVE AI on June 18, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Support Ticket Management System plugin to the latest release that addresses the privilege escalation flaw (any version newer than 1.9).
  • Review all WordPress user roles and remove any unnecessary role‑elevating capabilities added by the plugin. Ensure that only trusted administrators have high‑level privileges and that no non‑admin roles can be promoted via the plugin.
  • Audit the site for any unauthorized or unexpected role changes and disable any legacy plugin components that may still expose elevated permissions.

Generated by OpenCVE AI on June 18, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Theme Passion
Theme Passion support Ticket Management System
Wordpress
Wordpress wordpress
Vendors & Products Theme Passion
Theme Passion support Ticket Management System
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Privilege Escalation in Support Ticket Management System <= 1.9 versions.
Title WordPress Support Ticket Management System plugin <= 1.9 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Theme Passion Support Ticket Management System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:32:10.518Z

Reserved: 2025-12-29T11:20:07.744Z

Link: CVE-2025-69179

cve-icon Vulnrichment

Updated: 2026-06-17T15:32:04.268Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:43Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment