WordPress Plugin Vulnerabilities

Click to Chat < 4.23 - Contributor+ Stored XSS via data-no_number Parameter

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
click-to-chat-for-whatsapp
Fixed in 4.23

References

CVE
CVE-2025-5336
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/83695ac4-a08b-4c25-ac33-d9b7498f5a2c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Asaf Mozes
Verified
No
WPVDB ID
92ad9d40-d963-419e-8408-1b4c6550bd69

Timeline

Publicly Published
2025-06-13 (about 11 months ago)
Added
2025-06-16 (about 10 months ago)
Last Updated
2025-06-16 (about 10 months ago)

Other

Published
Title
Published
2024-08-22
Title
NinjaTeam Header Footer Custom Code <= 1.2 - Admin+ Stored XSS via CSS Styles
Published
2025-06-05
Title
BNS Featured Category <= 2.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-03
Title
MG Parallax Slider <= 1.0 - Reflected Cross-Site Scripting
Published
2023-09-28
Title
Modern Events Calendar lite < 7.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2021-04-01
Title
Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)