CVE-2025-50024: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress ATP Call Now plugin versions through 1.0.3. The vulnerability was discovered by Nabil Irawan and was publicly disclosed on June 19, 2025, receiving the identifier CVE-2025-50024. The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation issue (Wiz, Patchstack).

The vulnerability has received a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator privileges to exploit and is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (Patchstack).

If successfully exploited, this vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

No official fix is currently available for this vulnerability. As the software appears to be abandoned (last updated over a year ago), users are strongly advised to remove and replace the ATP Call Now plugin with an alternative solution. It's important to note that merely deactivating the software does not remove the security threat (Patchstack).