WordPress Plugin Vulnerabilities

Support Ticket System By Phoeniixx <= 2.7 - Unauthenticated Reflected XSS

Description

Bad user input sanitisation leads to unauthenticated reflected XSS.

Edit (WPScanTeam):
January 27th, 2020 - Report received & WP Plugin team notified
January 31st, 2020 - WP plugin team acknowledgement & plugin closed.
April 11th, 2020 - No updates, disclosing.

Proof of Concept

Affects Plugins

Plugin icon
support-ticket-system-by-phoeniixx
No known fix

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Max
Submitter website
https://agencemcb.fr
Verified
Yes
WPVDB ID
19206f06-f006-4e06-9503-872596aa515e

Timeline

Publicly Published
2020-04-11 (about 6 years ago)
Added
2020-04-11 (about 6 years ago)
Last Updated
2020-04-11 (about 6 years ago)

Other

Published
Title
Published
2025-03-24
Title
GMO Font Agent <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-18
Title
Open edX LMS <= 2.6.1 - Reflected Cross-Site Scripting
Published
2023-12-26
Title
HashBar – WordPress Notification Bar < 1.4.2 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2024-11-22
Title
Advanced Event Manager <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-12-31
Title
Effect Maker <= 1.2.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting