WordPress Plugin Vulnerabilities

My Tickets < 2.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The My Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
my-tickets
Fixed in 2.0.23

References

CVE
CVE-2025-58988
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0174718-cddb-4821-b71e-ca21eb913842

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
64924680-eaa7-40ae-97f0-01fb37093f06

Timeline

Publicly Published
2025-09-09 (about 6 months ago)
Added
2025-09-15 (about 6 months ago)
Last Updated
2025-09-15 (about 6 months ago)

Other

Published
Title
Published
2020-02-27
Title
10Web Map Builder for Google Maps < 1.0.64 - Unauthenticated Stored XSS via Plugin Settings Change
Published
2024-03-29
Title
BoldGrid Easy SEO – Simple and Effective SEO < 1.6.14 - Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Description
Published
2024-03-18
Title
Tracking Code Manager < 2.1.0 -Admin+ Stored Cross-Site Scripting
Published
2025-01-16
Title
Essay Wizard (wpCRES) <= 1.0.6.4 - Reflected Cross-Site Scripting
Published
2023-03-29
Title
Weaver Xtreme Theme Support < 6.2.7 - Contributor+ Stored XSS