Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Visit the following URL as an admin user, with any valid ticket ID. Press the access key combination to trigger XSS (e.g. Ctrl+Alt+X on Firefox on MacOS).
https://example.com/wp-admin/post.php?post=TICKET_ID%22+accessKey%3DX+onclick%3Dalert%28%2Fxss%2F%29+%22&action=edit