Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System wp-ticket allows Stored XSS.This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through <= 6.0.2.
Published: 2025-09-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of user input in the WP Ticket Customer Service Software & Support Ticket System plugin allows attackers to store malicious scripts that are later served to all site visitors. The vulnerability is a stored XSS flaw that could enable attackers to steal session cookies, deface pages, or perform phishing attacks against authenticated users.

Affected Systems

The affected product is the emarket‑design WP Ticket Customer Service Software & Support Ticket System plugin for WordPress, with versions from the initial release through 6.0.2 inclusive. Any WordPress installation using one of these plugin versions is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by submitting malicious content through ticket or customer input fields, which will then be rendered unfiltered to all users, making the impact potentially widespread within the affected site. As the flaw is stored rather than reflected, compromising the plugin does not require the victim’s interaction with a specially crafted link, increasing the risk profile for attackers who can inject payloads via the plugin’s interface.

Generated by OpenCVE AI on April 29, 2026 at 23:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Ticket plugin to a version newer than 6.0.2 that contains the input sanitization fix.
  • If an upgrade is not immediately possible, restrict or sanitize the data accepted by the plugin’s ticket submission fields to remove script tags and escape output.
  • Deploy or configure a Web Application Firewall ruleset to detect and block typical XSS payloads targeting the plugin's pages.
  • Ensure that the WordPress core and all other plugins are kept up to date and that the site runs a secure, hardened configuration (e.g., SSL, secure cookies).

Generated by OpenCVE AI on April 29, 2026 at 23:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31248 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Stored XSS. This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through 6.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Stored XSS. This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through 6.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System wp-ticket allows Stored XSS.This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through <= 6.0.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Emarketdesign
Emarketdesign customer Service Software & Support Ticket System
Wordpress
Wordpress wordpress
Vendors & Products Emarketdesign
Emarketdesign customer Service Software & Support Ticket System
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Stored XSS. This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through 6.0.2.
Title WordPress WP Ticket Customer Service Software & Support Ticket System Plugin <= 6.0.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Emarketdesign Customer Service Software & Support Ticket System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:55.854Z

Reserved: 2025-09-25T15:28:03.107Z

Link: CVE-2025-60157

cve-icon Vulnrichment

Updated: 2025-09-26T14:06:03.925Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:44.770

Modified: 2026-04-23T15:34:19.583

Link: CVE-2025-60157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses