The changelog for latest version of  WP Support Plus Responsive Ticket System is “Fix : HTML injection security issues fixed”. Looking at the changes made in that version there were numerous instances where variables were attempted to be escaped, mostly using htmlentities(), which isn’t really the function that should be used. In trying to figure out if there was a vulnerability that was fixed (versus just a precautionary change) we ran the previous version of the plugin through our Plugin Security Checker tool. The results of that indicated that there were a few instances where the escaping was added where the tool flagged there previously possibly being an issue. A quick check confirmed they were vulnerable and that the change made related to them didn’t fix the vulnerability.

...

---

This post provides insights on a vulnerability in the WordPress plugin WP Support Plus Responsive Ticket System not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.