CVE-2023-25710: 
WordPress vulnerability analysis and mitigation

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability was discovered in DIGITALBLUE Click to Call or Chat Buttons WordPress plugin versions 1.4.0 and below. The vulnerability was disclosed on February 15, 2023, and was assigned CVE-2023-25710. The issue was fixed in version 1.5.0 (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue that affects authenticated users with administrator privileges. It received a CVSS v3.1 Base Score of 5.9 MEDIUM with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (Patchstack).

This vulnerability could allow a malicious actor with administrator privileges to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

The recommended solution is to update the Click to Call or Chat Buttons plugin to version 1.5.0 or later, which contains the fix for this vulnerability. Users of Patchstack can enable auto-update for vulnerable plugins to automatically address such issues (Patchstack).