Post

WP Ticket (Customer Service Software & Support Ticket System) < 5.10.4 — Admin+ Stored XSS via Unsanitized List Fields (CVE-2021-24622)

Posted
By Tri Wanda Septian
1 min read
WP Ticket (Customer Service Software & Support Ticket System) < 5.10.4 — Admin+ Stored XSS via Unsanitized List Fields (CVE-2021-24622)

Introduction

I set out to review helpdesk/ticketing plugins that are frequently installed in intranets and customer portals—places where strict role boundaries exist and unfiltered_html is commonly disabled for non-superadmin roles. My focus was on how user-submitted fields are rendered back in list and admin views. WP Ticket’s workflow—end users submit tickets, staff/admins triage them—made it a good candidate to test whether output escaping was consistently applied across the interface. During this review I identified a stored cross-site scripting (XSS) issue that could be triggered by high-privilege users (Admin+) even in environments where unfiltered_html is disallowed, matching CVE-2021-24622.

Summary of the Finding

Versions of WP Ticket prior to 5.10.4 do not properly sanitize and escape certain form fields before outputting them in the List view. As a result, HTML/JavaScript embedded in those fields is stored and later executed in an administrator’s browser when they load the affected admin list page. Because the vulnerable sink lives in an Admin+ context, the practical exploit path is “stored XSS that fires in the admin UI,” enabling actions such as privilege escalation, CSRF bypass via DOM-driven requests, or planting long-lived admin backdoors. The issue is documented as CVE-2021-24622 and was fixed in 5.10.4.

Reproduction steps (tested on local instance)

Performed only on a local test instance for verification and learning.

  • Navigate to WP Ticket > Forms > edit layout of “Open a Ticket” or “Search Tickets” > on “Editing Form” Setting menu.
  • Select a form field and you can edit the “Label” with a cross-site scripting (XSS) payload such as 
    1
2

    v < 5.10.3 - "><script>alert(/XSS/)</script> 
v <= 5.10.3 - " style=animation-name:rotation onanimationstart=alert(/XSS/)//

All of the parameters on the “Editing Form” are vulnerable.To trigger the XSS payload, refresh the “Editing Form” page.

Timelines

  • Publicly Published : 2021-09-20
  • Added : 2021-09-20
  • Last Updated : 2021-09-20
Infosec, CVE, Research
cve infosec
This post is licensed under CC BY 4.0 by the author.