Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Support Ticket support-ticket allows Reflected XSS.This issue affects Support Ticket: from n/a through <= 1.9.
Published: 2025-08-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Support Ticket plugin for WordPress does not correctly neutralize user input before inserting it into a generated web page, allowing attackers to inject malicious JavaScript into reflected responses. This reflected cross‑site scripting flaw can execute code in a victim’s browser, leading to potential cookie theft, unauthorized actions performed on behalf of the user, or defacement of the site’s content. The vulnerability is a client‑side attack that compromises the confidentiality and integrity of user sessions during interaction with the affected plugin pages.

Affected Systems

The vulnerability applies to the WordPress Support Ticket Plugin from themepassion, affecting all releases up to and including version 1.9. No newer versions have been documented as vulnerable, but the credentialed user should verify the plugin’s current version after patching.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity and the EPSS score of less than 1% suggests that, while the vulnerability is serious, the likelihood of exploitation is currently low. The flaw is not listed in CISA’s KEV catalog. Attackers could exploit the flaw by crafting a URL that includes malicious JavaScript and persuading a site visitor to click on it, triggering the reflected code execution in the visitor’s browser. If the site is publicly accessible and the plugin’s pages are reachable, the risk is higher because any user could be targeted.

Generated by OpenCVE AI on April 30, 2026 at 08:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Support Ticket plugin to the latest version that removes the XSS flaw.
  • If an upgrade cannot be performed, disable or remove the plugin to eliminate the vulnerable code path.
  • Deploy web‑application‑firewall rules to block injection of malicious JavaScript into the plugin’s pages and sanitize any user‑supplied data that may still flow through the application.

Generated by OpenCVE AI on April 30, 2026 at 08:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28304 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in diego.benna Essential Doo Components for Visual Composer allows DOM-Based XSS. This issue affects Essential Doo Components for Visual Composer: from n/a through 1.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in diego.benna Essential Doo Components for Visual Composer allows DOM-Based XSS. This issue affects Essential Doo Components for Visual Composer: from n/a through 1.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Support Ticket support-ticket allows Reflected XSS.This issue affects Support Ticket: from n/a through <= 1.9.
Title WordPress Essential Doo Components for Visual Composer plugin <= 1.9 - Cross Site Scripting (XSS) vulnerability WordPress Support Ticket Plugin <= 1.9 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in diego.benna Essential Doo Components for Visual Composer allows DOM-Based XSS. This issue affects Essential Doo Components for Visual Composer: from n/a through 1.9.
Title WordPress Essential Doo Components for Visual Composer plugin <= 1.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.262Z

Reserved: 2025-06-04T15:44:22.453Z

Link: CVE-2025-49424

cve-icon Vulnrichment

Updated: 2025-08-20T13:59:53.919Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:37.170

Modified: 2026-04-23T15:31:39.567

Link: CVE-2025-49424

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:30:06Z

Weaknesses