CVE-2026-6696
Reflected Cross-Site Scripting in Zingaya Click-to-Call WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zingaya | zingaya_click-to-call | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attacks. This vulnerability exists in the plugin's sign-up admin page where the parameters 'email', 'first_name', 'last_name', and 'phone' are not properly sanitized or escaped. As a result, an attacker can inject malicious web scripts into these parameters. If a user is tricked into clicking a specially crafted link, the injected script will execute in their browser.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Zingaya Click-to-Call plugin is a reflected Cross-Site Scripting (XSS) issue that allows unauthenticated attackers to inject arbitrary scripts by exploiting insufficient input sanitization and output escaping.
Such vulnerabilities can potentially lead to unauthorized access to user data or session hijacking, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.
However, the provided information does not explicitly describe the direct impact of this vulnerability on compliance with these standards or regulations.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary scripts in the context of the affected site. This can lead to theft of user credentials, session hijacking, or performing actions on behalf of the user without their consent. Since the attack requires tricking a user into clicking a malicious link, it can be used for phishing or spreading malware.
What immediate steps should I take to mitigate this vulnerability?
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to and including 1.0.
Immediate mitigation steps include disabling or uninstalling the plugin since it has been temporarily closed and is no longer available for download as of April 28, 2026.
Avoid using the plugin until a secure version is released after the full review.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the Zingaya Click-to-Call WordPress plugin affecting the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page.
To detect this vulnerability on your system, you can attempt to send crafted HTTP requests to the sign-up admin page of the plugin with malicious script payloads in these parameters and observe if the scripts are reflected and executed.
- Use curl or similar tools to send requests with XSS payloads, for example:
- curl -G --data-urlencode "email=<script>alert(1)</script>" --data-urlencode "first_name=test" --data-urlencode "last_name=test" --data-urlencode "phone=123" "http://your-wordpress-site/wp-admin/admin.php?page=zingaya_signup"
- Observe the response in a browser or via tools that render HTML to check if the script is executed or reflected unescaped.
Note that the plugin was last updated 12 years ago and is currently closed pending review, so detection should focus on systems still running this plugin version.