The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The WP Support Plus Responsive Ticket System plugin through version 9.1.2 contains a critical file upload vulnerability that bypasses validation controls, permitting unauthenticated attackers to upload malicious files to publicly accessible directories. By uploading files with executable content disguised as images or documents—particularly HTML and SVG files containing embedded JavaScript—attackers can achieve Stored Cross-Site Scripting (XSS) attacks that persist in the application and execute in the browsers of site visitors, administrators, and support staff. This vulnerability affects any WordPress installation running this plugin, creating a wide attack surface since the plugin is designed for support ticket management where file uploads are a core feature. The impact extends beyond individual site compromise; attackers can steal session tokens, harvest credentials, modify ticket content, or pivot to administrative accounts.
Casky's platform, powered by Claude AI with extended reasoning capabilities and 754 mapped security skills, would detect this attack pattern by analyzing file upload behaviors and execution contexts typically associated with Improper Input Validation (CWE-20 adjacent issues) and Client-Side Injection techniques. While this specific CVE lacks explicit MITRE ATT&CK mappings, practitioners using Casky would observe detection patterns correlating to T1190 (Exploit Public-Facing Application) and T1498 (Network Denial of Service) preparation activities, along with indicators of T1059 (Command and Scripting Interpreter) execution when uploaded SVG/HTML files trigger JavaScript execution. Claude's reasoning engine would correlate suspicious file extension mismatches, MIME type inconsistencies, and the presence of script tags within uploaded assets—generating findings that help practitioners identify both the vulnerability itself and post-exploitation behavioral signals before attackers establish persistence.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11589. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation