CVE-2025-5336 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Click to Chat plugin developed by HoliThemes for WordPress. The vulnerability arises from improper neutralization of input during web page generation, specifically through the ‘data-no_number’ parameter. This parameter is insufficiently sanitized and escaped, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 4.22. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or known exploits are currently reported, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. Attackers exploiting this flaw can leverage it for privilege escalation, data theft, or persistent web defacement. The vulnerability underscores the importance of proper input validation and output encoding in web applications, especially in plugins that handle user-generated content or parameters.

The impact of CVE-2025-5336 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Exploitation allows attackers with Contributor-level access to inject malicious scripts that execute in the context of other users’ browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. This can damage the reputation of affected organizations, lead to data breaches, and compromise user trust. Since the vulnerability requires authentication, it limits exposure to insiders or compromised accounts but remains significant due to the commonality of Contributor roles in WordPress environments. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the attacker’s privileges, increasing risk. Organizations relying on the Click to Chat plugin for customer engagement or communication may face service disruption or exploitation leading to further attacks. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

To mitigate CVE-2025-5336, organizations should take the following specific actions: 1) Immediately restrict Contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. 2) Monitor and audit user-generated content and parameters, especially those involving the ‘data-no_number’ attribute, for suspicious or unexpected input. 3) Apply strict input validation and output encoding in the plugin’s codebase, ensuring that all user-supplied data is properly sanitized before rendering. 4) If a patch becomes available from HoliThemes, prioritize its deployment across all affected WordPress instances. 5) Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to inject scripts via the vulnerable parameter. 6) Conduct regular security reviews of all installed plugins and remove or replace those that are unmaintained or vulnerable. 7) Educate site administrators and contributors about the risks of XSS and the importance of secure content management practices. 8) Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. These targeted measures go beyond generic advice by focusing on the specific vulnerability vector and the operational context of WordPress environments.