2 matches found
CVE-2022-1455
The CVE-2022-1455 entry concerns the WordPress Call Now Button plugin prior to version 1.1.2, where a parameter output into a hidden input attribute is not escaped, enabling Reflected Cross-Site Scripting. The vulnerability affects versions before 1.1.2; the root cause is failure to escape user-c...
CVE-2024-2908
CVE-2024-2908 affects the WordPress plugin Call Now Button prior to 1.4.7. The issue arises because the plugin does not sanitize/escape certain settings, enabling Stored XSS by high-privilege users (e.g., admins), including in multisite setups where unfiltered_html is disallowed. Connected source...