WordPress Plugin Vulnerabilities

Call Now Button < 1.1.2 - Reflected Cross-Site Scripting

Description

The plugin does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled

Proof of Concept

With premium enabled: http://example.com/wp-admin/admin.php?page=call-now-button&bid=xxxxx" accesskey=X onclick=alert(/XSS/) test="

Affects Plugins

call-now-button

Fixed in version 1.1.2

References

CVE

CVE-2022-1455

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

7coo and JrXnm

Submitter

7coo

Submitter website

https://7coo.github.io/

Verified

Yes

WPVDB ID

8267046e-870e-4ccd-b920-340233ed3b93

Timeline

Publicly Published

2022-04-25 (about 2 months ago)

Added

2022-04-25 (about 2 months ago)

Last Updated

2022-04-25 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin