CVE-2021-24622: 
WordPress vulnerability analysis and mitigation

The Customer Service Software & Support Ticket System WordPress plugin before version 5.10.4 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on September 20, 2021, affecting the wp-ticket plugin. The issue stems from the plugin's failure to properly sanitize or escape form fields before outputting them in the List functionality (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects form fields in the List functionality, where input is neither sanitized nor escaped before being output, even when the unfiltered_html capability is disabled (NVD).

The vulnerability allows high-privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. This could potentially lead to the execution of malicious JavaScript code in users' browsers, potentially compromising sensitive information or performing unauthorized actions on behalf of other users (WPScan).

The vulnerability has been fixed in version 5.10.4 of the plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).