CVE-2025-5336

The Click to Chat plugin for WordPress (versions up to and including 4.22) contains a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping of the 'data-no_number' parameter. This allows attackers to inject arbitrary web scripts that are stored on the server and later executed in the browsers of users accessing the affected pages.

Exploitation

An attacker must be authenticated with at least Contributor-level access. No additional privileges or network position are required beyond the ability to create or edit posts/pages using the plugin's shortcode or settings that accept the 'data-no_number' parameter. The injected script persists in the page content and triggers when any user—including administrators—views the page.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can be used to steal session cookies, log keystrokes, perform actions on behalf of the user, or deface the site. The vulnerability is rated Medium (CVSS 6.4) due to the requirement for authentication and the need for user interaction.

Mitigation

The plugin vendor has not yet released a patched version; users are advised to apply input validation and escape output manually, restrict contributor access, or consider disabling the vulnerable parameter until an official fix is available. No evidence of exploitation in the wild has been reported as of publication [1].