CVE-2025-23745 in Call me Now Plugin
Summary
by MITRE • 01/16/2025
Cross-Site Request Forgery (CSRF) vulnerability in Tussendoor internet & marketing Call me Now allows Stored XSS.This issue affects Call me Now: from n/a through 1.0.5.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/10/2025
This vulnerability represents a critical security flaw in the Tussendoor internet & marketing Call me Now plugin where a cross-site request forgery vulnerability enables stored cross-site scripting attacks. The vulnerability exists within the plugin's handling of user input and request processing mechanisms, creating a dangerous chain of exploitation opportunities. The CSRF flaw allows attackers to trick authenticated users into executing unintended actions on the web application, while the stored XSS component enables persistent malicious script execution within the victim's browser. This combination creates a particularly dangerous attack vector where an attacker can establish a foothold that persists across user sessions and remains active until manually removed from the application's database. The vulnerability affects all versions from the initial release through version 1.0.5, indicating a long-standing issue that has not been properly addressed. The flaw stems from inadequate validation and sanitization of user-supplied data, combined with insufficient anti-CSRF token implementation. According to CWE standards, this vulnerability maps to CWE-352 for the CSRF aspect and CWE-79 for the stored XSS component, both of which are classified as high-risk security issues. The attack surface is particularly concerning as it leverages legitimate user sessions to execute malicious code, making detection more difficult for security monitoring systems. The impact extends beyond simple data theft to include potential account takeovers, session hijacking, and the ability to inject malicious content that can affect all users interacting with the vulnerable plugin.
The operational impact of this vulnerability is severe for any organization utilizing the Call me Now plugin, as it provides attackers with persistent access to user sessions and data. An attacker can craft malicious requests that, when executed by authenticated users, will store malicious scripts within the application's database. These stored scripts then execute automatically whenever affected users access the application, creating a persistent threat that can remain undetected for extended periods. The vulnerability's exploitation requires minimal technical skill, as it relies on the inherent trust relationship between the user and the application. This makes it particularly dangerous in environments where multiple users interact with the same system, as a single compromised user can serve as an entry point for broader network infiltration. The stored XSS component specifically targets the application's user interface rendering mechanisms, allowing attackers to inject malicious JavaScript code that can steal cookies, redirect users to malicious sites, or perform other harmful actions. The CSRF aspect eliminates the need for direct user interaction beyond the initial exploitation, as the malicious request can be triggered through various means including social engineering campaigns or compromised websites. This vulnerability directly aligns with ATT&CK techniques related to credential access and persistence, as it enables attackers to maintain access to user sessions and potentially escalate privileges through the execution of malicious scripts.
Mitigation strategies for this vulnerability must address both the CSRF and stored XSS components simultaneously to provide comprehensive protection. Immediate patching of the affected plugin versions is essential, as the vulnerability exists across multiple releases and requires a code-level fix to properly validate and sanitize user input. Organizations should implement proper anti-CSRF token mechanisms that are generated per session and validated on each request to prevent unauthorized actions from being executed. The implementation of Content Security Policy headers can provide additional protection against stored XSS attacks by limiting the sources from which scripts can be loaded and executed. Input validation and output encoding should be strengthened throughout the application to prevent malicious data from being stored or executed. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the application ecosystem. The vulnerability's presence indicates a need for enhanced security awareness training for developers to ensure proper implementation of security controls during the development lifecycle. Organizations should also implement web application firewalls to detect and block suspicious requests that attempt to exploit CSRF vulnerabilities. Monitoring for unusual patterns in user activity and request behavior can help identify potential exploitation attempts, while regular security updates and patch management processes should be enforced to prevent similar vulnerabilities from being introduced in future releases. The combination of these defensive measures creates multiple layers of protection that can effectively neutralize the threat posed by this particular vulnerability.