CVE-2024-2908 in Call Now Button Plugin
Summary
by MITRE • 04/26/2024
The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/03/2025
The vulnerability identified as CVE-2024-2908 affects the Call Now Button WordPress plugin version 1.4.6 and earlier, presenting a critical security risk through stored cross-site scripting flaws. This issue specifically targets high-privilege users including administrators who possess the capability to manipulate plugin settings. The vulnerability arises from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating an attack vector that can persistently compromise user sessions and potentially escalate privileges within the WordPress environment.
The technical flaw manifests when administrators configure plugin settings that are subsequently stored in the database without proper sanitization processes. This allows malicious scripts to be injected and stored within the plugin's configuration parameters, which then execute whenever the settings are rendered or processed. The vulnerability is particularly concerning because it operates even when the WordPress multisite setup restricts unfiltered_html capabilities, which typically prevents non-administrative users from injecting malicious code. This means that the attack can succeed even in hardened environments where standard security measures should prevent such exploits.
The operational impact of this vulnerability extends beyond simple XSS attacks, potentially enabling attackers to hijack administrator sessions, modify plugin configurations, or even gain elevated privileges within the WordPress installation. In a multisite environment, this vulnerability could allow attackers to compromise multiple sites simultaneously, as the stored scripts would execute across different sites within the same network. The persistent nature of stored XSS means that victims need not actively interact with malicious content, as the scripts execute automatically whenever the affected plugin settings are accessed or displayed.
Security professionals should prioritize immediate patching of this vulnerability to version 1.4.7 or later, as this represents the first remediation that addresses the sanitization and escaping deficiencies. Organizations should also implement additional monitoring for suspicious plugin configuration changes and consider implementing web application firewalls to detect potential exploitation attempts. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and falls under ATT&CK technique T1548.003 for privilege escalation through the manipulation of application settings. Administrators should conduct thorough security audits of all installed plugins to identify similar sanitization issues that could present analogous risks within their WordPress environments.