WWordPress Vulnerability Database

Community Alert XSS in Support Ticket Plugin(CVE202560157)

WordPress WP Ticket Customer Service Software & Support Ticket System Plugin
0
Shares
0
0
0
0
Plugin Name WP Ticket Customer Service Software & Support Ticket System
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-60157
Urgency Low
CVE Publish Date 2025-09-26
Source URL CVE-2025-60157

WP Ticket (<= 6.0.2) — Cross-Site Scripting (XSS) CVE-2025-60157: What WordPress Site Owners Must Do Now

Date published: 26 September 2025
CVE: CVE-2025-60157
Affected plugin: WP Ticket Customer Service Software & Support Ticket System
Vulnerable versions: <= 6.0.2
Fixed version: 6.0.3
Reported privilege required: Contributor (low-privileged user)
Severity / CVSS: 6.5 (Medium / Low-priority patching according to some scoring)

Executive summary

  • A reflected/stored Cross-Site Scripting (XSS) vulnerability exists in WP Ticket versions up to and including 6.0.2.
  • The issue allows a low-privileged user (Contributor role) to inject HTML/JavaScript into ticket content or other rendered areas; injected scripts may execute when viewed by admins, agents, or site visitors.
  • Fixed in WP Ticket 6.0.3 — update immediately if you use this plugin.
  • If you cannot update immediately: deactivate the plugin where practical, restrict contributor privileges, enable input/content sanitisation, and scan ticket content for suspicious entries.

Why this matters — a pragmatic take

Cross-Site Scripting remains a frequently exploited web vulnerability. Even where scoring systems label a finding as “low priority,” the practical impact can be significant depending on which accounts or interfaces execute the injected script.

This vulnerability is particularly relevant to sites that allow visitor accounts, community contributors, or other untrusted users to submit tickets or messages. Potential impacts include:

  • Session hijacking via stolen cookies or authentication tokens
  • Secondary payload deployment leading to defacement, malware insertion, or data exfiltration
  • Administrative actions performed in the context of an admin who views a malicious ticket
  • Redirection to phishing sites or injection of unwanted content into public pages or emails

The real-world blast radius depends on how your site renders ticket content and which roles interact with it. Publicly displayed ticket data or content forwarded into email or third-party dashboards increases the risk.

Technical analysis (what’s happening)

The core issue is an input validation/output escaping bug in the plugin’s rendering pipeline:

  • User-supplied content from ticket fields or messages is not properly sanitized and/or escaped before being output in an HTML context.
  • An attacker with Contributor-level access can submit crafted content containing HTML/JavaScript payloads.
  • When a victim (admin, agent, or visitor) views the ticket, their browser executes the injected script because it is served as part of the page without proper escaping or Content Security Policy (CSP) protections.

This maps to the OWASP classification for injection, specifically XSS. Because Contributor is a common default low-privilege role, many sites may be exposed without realising it.

Who is at risk

  • Sites running WP Ticket versions <= 6.0.2.
  • Sites that allow account creation with Contributor or similar low-privileged roles.
  • Sites where support ticket content is viewed by admins or other privileged accounts.
  • Sites that embed or forward ticket content in email or publicly accessible pages.

If you meet any of the above conditions, treat this as an operational priority and follow the remediation steps below.

Immediate actions (0–24 hours)

  1. Update the plugin now. The definitive fix is to update WP Ticket to version 6.0.3 or later.
  2. If you cannot update immediately:
    • Deactivate or disable the WP Ticket plugin until you can apply the update.
    • Restrict account creation and remove or downgrade untrusted users with Contributor privileges.
    • Temporarily require that ticket submission is authenticated and manually vet new accounts.
  3. Enable strict content filtering. Enable HTML sanitisation for user-submitted content where available (for example, strip HTML tags from ticket fields).
  4. Apply protective HTTP-layer rules. Implement rules on your hosting or edge security layer to block common XSS payload patterns in ticket submission requests and rendered pages.
  5. Scan for suspicious content and IoCs. Search ticket tables for script tags (