For every bounty won throughout May 2021, huntr will donate half towards Indian COVID relief.
XSS is possible via support ticket reply functionality for admin. It can happen if a client registers with his name as the XSS payload and admin replies with the default greetings. Otherwise admin have to manually enter the payload in reply form.
POC video: https://drive.google.com/file/d/1aCMb4ETmGVzipBlaUX6tFwpzF6mKlW7e/view
This vulnerability is capable of executing arbitrary scripts.