WordPress Plugin Vulnerabilities

My Tickets < 1.8.31 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins

Proof of Concept

Affects Plugins

Plugin icon
my-tickets
Fixed in 1.8.31

References

CVE
CVE-2021-24796
YouTube Video

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Abhiyan Chhetri
Submitter
Abhiyan Chhetri
Submitter website
https://itsmeavi.com
Submitter twitter
0x4vian
Verified
Yes
WPVDB ID
d973dc0f-3cb4-408d-a8b0-01abeb9ef951

Timeline

Publicly Published
2021-10-18 (about 4 years ago)
Added
2021-10-18 (about 4 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2014-01-29
Title
Photocrati Theme 4.7.3 - Reflected Cross-Site Scripting (XSS)
Published
2025-10-16
Title
Estatik <= 4.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-28
Title
Stripe Donation <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
WooCommerce Predictive Search - index.php rs Parameter XSS
Published
2025-07-25
Title
Advanced iFrame < 2025.6 - Authenticated (Contributor+) Stored Cross-Site Scripting