WordPress Plugin Vulnerabilities

CallRail Phone Call Tracking < 0.4.10 - Stored XSS via CSRF

Description

The plugin does not have CSRF check in place and it also lacking sanitisation as well as escaping in some parameters, which could allow attackers to make a logged in admin put Stored Cross-Site Scripting payloads in them

Affects Plugins

Plugin icon
callrail-phone-call-tracking
Fixed in 0.4.10

References

CVE
CVE-2022-36796

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Rasi Afeef
Verified
No
WPVDB ID
f7930b48-f90e-42d1-b10f-cbd4de446b4c

Timeline

Publicly Published
2022-09-01 (about 3 years ago)
Added
2022-09-01 (about 3 years ago)
Last Updated
2022-09-14 (about 3 years ago)

Other

Published
Title
Published
2025-04-22
Title
Recover abandoned cart for WooCommerce < 2.3 - Cross-Site Request Forgery
Published
2025-01-16
Title
Anonymize Links <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-06-27
Title
WPShapere - WordPress admin theme <= 1.4.1 - Cross-Site Request Forgery
Published
2023-03-03
Title
WP Translitera <= p1.2.5 - Settings Update via CSRF
Published
2024-04-10
Title
BEAR <= 1.1.4.1 & WOLF <= 1.0.8.1 - Cross-Site Request Forgery to Notice Dismissal