CVE-2024-13099: 
WordPress vulnerability analysis and mitigation

The Widget4Call WordPress plugin through version 1.0.7 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Hassan Khan Yusufzai (Splint3r7) and was publicly disclosed on January 10, 2025. The issue affects the plugin's admin interface where a parameter is not properly sanitized and escaped before being output back to the page (WPScan).

The vulnerability exists due to improper sanitization and escaping of a parameter in the plugin's admin interface. When the parameter is output back to the page, it can lead to a Reflected Cross-Site Scripting attack. The vulnerability can be exploited through the admin panel at the path 'wp-admin/admin.php?page=w4cdevmode&id=' parameter. The issue has been assigned a CVSS score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (WPScan).

The vulnerability could be exploited against high-privilege users such as administrators. If successfully exploited, an attacker could execute arbitrary JavaScript code in the context of the targeted user's browser session, potentially leading to theft of sensitive information or unauthorized actions performed on behalf of the administrator (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Widget4Call WordPress plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).