{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5336", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-29T17:14:56.794Z", "datePublished": "2025-06-14T08:23:26.308Z", "dateUpdated": "2026-04-08T17:04:07.991Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:07.991Z"}, "affected": [{"vendor": "holithemes", "product": "Click to Chat \u2013 HoliThemes", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data-no_number\u2019 parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Click to Chat <= 4.22 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via data-no_number Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83695ac4-a08b-4c25-ac33-d9b7498f5a2c?source=cve"}, {"url": "https://wordpress.org/plugins/click-to-chat-for-whatsapp/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.22/new/inc/assets/js/dev/app.dev.js#L126"}, {"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.22/new/inc/assets/js/dev/app.dev.js#L818"}, {"url": "https://plugins.trac.wordpress.org/changeset/3309693/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-06-13T20:15:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T16:45:55.932997Z", "id": "CVE-2025-5336", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T18:38:52.125Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5336", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-16T16:45:55.932997Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T16:47:10.413Z"}}], "cna": {"title": "Click to Chat <= 4.22 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via data-no_number Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "holithemes", "product": "Click to Chat \u2013 HoliThemes", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-13T20:15:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83695ac4-a08b-4c25-ac33-d9b7498f5a2c?source=cve"}, {"url": "https://wordpress.org/plugins/click-to-chat-for-whatsapp/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.22/new/inc/assets/js/dev/app.dev.js#L126"}, {"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.22/new/inc/assets/js/dev/app.dev.js#L818"}, {"url": "https://plugins.trac.wordpress.org/changeset/3309693/"}], "descriptions": [{"lang": "en", "value": "The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data-no_number\u2019 parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:07.991Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5336", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:07.991Z", "dateReserved": "2025-05-29T17:14:56.794Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-14T08:23:26.308Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data-no_number\u2019 parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Click to Chat para WordPress es vulnerable a cross-site-scripting almacenado a trav\u00e9s del par\u00e1metro 'data-no_number' en todas las versiones hasta la 4.22 incluida, debido a una depuraci\u00f3n de entrada insuficiente y un escape de salida deficiente. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-5336", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-14T09:15:23.527", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.22/new/inc/assets/js/dev/app.dev.js#L126"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.22/new/inc/assets/js/dev/app.dev.js#L818"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3309693/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/click-to-chat-for-whatsapp/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83695ac4-a08b-4c25-ac33-d9b7498f5a2c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:13:38.898901+00:00", "value": {"mitigation_remediation": ["Update the Click to Chat plugin to a version newer than 4.22.", "If an update is not feasible, permanently uninstall or deactivate the plugin from the WordPress installation.", "Restrict Contributor and higher level accounts, reviewing permissions and monitoring for suspicious activity to reduce the risk of exploitation."], "summary": {"action": "Patch", "impact": "Stored DOM\u2011Based Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the HoliThemes Click to Chat plugin, all versions up to and including 4.22. Any site that has deployed this plugin without an upgrade to a later version is affected.", "description_and_impact": "The Click to Chat plugin for WordPress is vulnerable to stored cross\u2011site scripting through the data\u2011no_number parameter. Authenticated users with Contributor level or higher can inject arbitrary JavaScript into the plugin\u2019s output. Once injected, the script executes whenever a user views a page that includes the plugin, potentially allowing attackers to steal session cookies, hijack accounts, deface content, or redirect users to malicious sites.", "risk_and_exploitability": "The CVSS score of 6.4 denotes moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Contributor or higher privileges, meaning the attack vector is internal. An attacker can leverage the injected script to compromise the integrity and confidentiality of site visitors that interact with the affected pages."}}}}, "created": "2026-04-21T20:15:44.580440+00:00", "updated": "2026-04-21T20:15:44.580449+00:00", "vendors": []}