The lack of sanitisation in the post_title of a ticket could allow users with the Support Supervisor capability to create tickets containing XSS payloads. The risk is relatively low, as CSRF checks are in place and the affected role is close to an admin one. Using the DISALLOW_UNFILTERED_HTML constant does not mitigate the attack. January 10th, 2020 - WP Plugins Team Notified