An improper neutralization of input flaw in the Key4ce osTicket Bridge plugin allows an attacker to inject arbitrary script into web pages that the plugin serves. This reflected XSS vulnerability can cause browsers of unsuspecting users to execute attacker‑controlled code, leading to session hijacking, credential theft, defacement, or delivery of additional malware. The weakness is a classic CWE‑79 input validation failure, affecting confidentiality, integrity, and availability by compromising the victim’s session and potentially exposing sensitive data.

The vulnerability impacts the WordPress Key4ce osTicket Bridge plugin from vendor m.tiggelaar, specifically all releases up to and including version 1.4.0. Any WordPress site that has this plugin installed and has not upgraded beyond this version is affected.

The CVSS score of 7.1 indicates a high severity response is warranted. The EPSS score of less than 1% shows that the probability of exploitation in the near term is very low, and the vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities catalog. Attackers would typically deliver the malicious input via a crafted URL or form input that the plugin echoes back to the user’s browser. Because it is a reflected flaw, the threat requires victim interaction – the user must visit a specially constructed link for the payload to execute.