Lucene search
Dikshita Trivedi (Cybersecdexter)WPVDB-ID:58C9E088-ED74-461A-B305-E217679F26C1HistoryApr 05, 2024 - 12:00 a.m.
Call Now Button < 1.4.7 - Admin+ Stored XSS
2024-04-0500:00:00
Dikshita Trivedi (Cybersecdexter)
wpscan.com
11
stored xss
admin users
sanitization
settings
poc
update
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PoC
1. Navigate to All Buttons, and add a button. 2. Select “Button action” as Link and insert the following payload: javascript:alert(document.cookie); 3. Set the Open link in the “Current window”. 4. Visit the website and click on the button. 5. The alert will trigger.
Related
vulnrichment
vulnrichment
CVE-2024-2908 Call Now Button < 1.4.7 - Admin+ Stored XSS
2024-04-26 05:00:03
cvelist
cvelist
CVE-2024-2908 Call Now Button < 1.4.7 - Admin+ Stored XSS
2024-04-26 05:00:03
nvd
nvd
CVE-2024-2908
2024-04-26 05:15:50
cve
cve
CVE-2024-2908
2024-04-26 05:15:50
wpexploit
wpexploit
Call Now Button < 1.4.7 - Admin+ Stored XSS
2024-04-05 00:00:00
wordfence
wordfence
AI Score
5.4
Confidence
High
EPSS
0
Percentile
9.0%
Related for WPVDB-ID:58C9E088-ED74-461A-B305-E217679F26C1