The plugin does not have CSRF check in place and it also lacking sanitisation as well as escaping in some parameters, which could allow attackers to make a logged in admin put Stored Cross-Site Scripting payloads in them
CPE | Name | Operator | Version |
---|---|---|---|
callrail-phone-call-tracking | lt | 0.4.10 |