Zingaya Click-to-Call WordPress Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Zingaya Click-to-Call plugin for WordPress, affecting all versions through 1.0. The vulnerability arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts. This injected script could be executed on pages if the attacker successfully convinces a user to perform an action, such as clicking a link. The issue is present on the plugin's sign-up admin page, where the 'email', 'first_name', 'last_name', and 'phone' parameters can be exploited.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

There is no known patch available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.