The WP Support Plus Responsive Ticket System plugin for WordPress allows unauthenticated users to upload files without proper validation, enabling the inclusion of malicious JavaScript in file contents such as HTML or SVG. These files are stored in a publicly accessible directory, and when site visitors or administrators view pages that render these files, the embedded script executes in their browsers. The result is a stored cross‑site scripting (XSS) attack that can lead to session hijacking, credential theft, defacement, or lateral movement within the WordPress administration interface.

WordPress sites that have the WP Support Plus Responsive Ticket System plugin installed with a version equal to or older than 9.1.2 are impacted. The vulnerability is present in all environments where the plugin version has not been updated beyond the stated threshold and the default file‑upload handling remains in place.

The vulnerability is exploitable by any remote actor with internet access to the WordPress site; no authentication or additional privileges are required. The CVSS score of 8.8 indicates high severity, while the EPSS score of <1% suggests a low probability of exploitation. Nevertheless, the straightforward attack vector of unauthenticated file upload to a publicly accessible location makes the risk severe. The vulnerability is not listed in the CISA KEV catalog, but the lack of a known public exploit does not mitigate the inherent risk of stored XSS. Attackers can upload crafted files that deliver JavaScript, which then runs under the context of legitimate site users and administrators when they view the affected content.