CVE-2025-5336
BaseFortify
Publication date: 2025-06-14
Last updated on: 2025-06-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Click to Chat WordPress plugin is a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of the 'data-no_number' parameter. Authenticated users with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising site security.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into the website. These scripts can execute in the context of users visiting the infected pages, potentially leading to theft of user credentials, session hijacking, defacement, or distribution of malware. It can undermine the trustworthiness and security of your website and its visitors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Click to Chat for WhatsApp WordPress plugin is installed and running a vulnerable version (up to and including 4.22). Since the vulnerability is a Stored Cross-Site Scripting via the 'data-no_number' parameter, monitoring HTTP requests or page source for suspicious or injected scripts in pages where the plugin is active can help detect exploitation attempts. Additionally, inspecting the plugin version on the WordPress site can be done by checking the plugin files or using WP-CLI commands. For example, to check the plugin version via WP-CLI, use: `wp plugin get click-to-chat-for-whatsapp --field=version`. To detect injected scripts, you can use browser developer tools or automated scanning tools that look for XSS payloads in page content. Network monitoring tools can look for unusual script payloads in HTTP responses related to pages using the plugin. However, no specific commands for direct detection of the vulnerability exploitation are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Click to Chat for WhatsApp WordPress plugin to version 4.23 or later, as this version includes fixes addressing the vulnerability related to the 'data-no_number' parameter and other related issues. Updating the plugin will patch the insufficient input sanitization and output escaping that allowed Stored Cross-Site Scripting. Additionally, reviewing and disabling page-level chat settings if not needed can reduce attack surface. Monitoring for suspicious activity and removing any injected scripts from affected pages is also recommended. If updating is not immediately possible, consider disabling the plugin temporarily until the patch can be applied. [1]