WordPress Plugin Vulnerabilities

Call Now Button < 1.4.7 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Navigate to All Buttons, and add a button. 
2. Select "Button action" as Link and insert the following payload: javascript:alert(document.cookie);
3. Set the Open link in the "Current window".
4. Visit the website and click on the button.
5. The alert will trigger.

Affects Plugins

Plugin icon
call-now-button
Fixed in 1.4.7

References

CVE
CVE-2024-2908

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Dikshita Trivedi (Cybersecdexter)
Submitter
Dikshita Trivedi (Cybersecdexter)
Verified
Yes
WPVDB ID
58c9e088-ed74-461a-b305-e217679f26c1

Timeline

Publicly Published
2024-04-05 (about 1 months ago)
Added
2024-04-05 (about 1 months ago)
Last Updated
2024-04-05 (about 1 months ago)

Other

Published
Title
Published
2021-09-15
Title
Shared Files < 1.6.57 - Admin+ Stored Cross-Site Scripting
Published
2024-04-26
Title
WP ULike < 4.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2022-07-18
Title
Name Directory < 1.25.5 - Stored Cross-Site Scripting via CSRF
Published
2023-11-24
Title
Chatbot for WordPress < 2.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-03-12
Title
Prime Slider – Addons For Elementor < 3.13.3 - Contributor+ Stored Cross-Site Scripting via Mercury Widget