call now button <= 1.1.1 Reflected XSS(CVE-2022-1455)

In file /call-now-button/src/admin/action/CnbActionViewEdit.php $_REQUEST["bid"]does not sanitized properly and leading a Reflected XSS.

And $button->type = 'SINGLE' defaultly.

If we want to trigger this xss, we need activate premium first, it’s for free.


According to this article, To trigger this xss we need press Shift + Alt + X in windows or Ctrl + Alt + X In macos.

1" accesskey=X onclick=alert(1) test="

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!