Description
Cross-Site Request Forgery (CSRF) vulnerability in WPShop.ru CallPhone'r callphoner allows Stored XSS.This issue affects CallPhone'r: from n/a through <= 1.1.1.
Published: 2025-03-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CallPhone'r plugin contains a Cross‑Site Request Forgery vulnerability that permits attackers to store malicious JavaScript payloads as page content, leading to Stored Cross‑Site Scripting. An attacker can inject a script that will then be executed whenever affected site visitors view the compromised content, potentially compromising user credentials, session tokens, or delivering malware. The issue is identified as CWE‑352, reflecting the underlying CSRF weakness that enables the payload injection.

Affected Systems

WPShop.ru:CallPhone'r plugin, all releases through version 1.1.1. WordPress sites that have installed or use this plugin are vulnerable unless the plugin is upgraded or removed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity impact, yet the EPSS score is less than 1%, suggesting a low but non‑zero likelihood of real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a CSRF request from an authenticated user (most likely an administrator) who unknowingly submits a request that embeds the malicious script. Because the flaw requires an authenticated session, the potential for exploitation is limited to environments where attackers can trick privileged users into sending crafted requests.

Generated by OpenCVE AI on May 1, 2026 at 04:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CallPhone'r to a version newer than 1.1.1, applying any available vendor patch
  • If an upgrade is not immediately possible, disable or remove the vulnerable plugin endpoint until the patch is applied to prevent CSRF requests
  • Ensure the WordPress core and all other plugins are kept current and use strong authentication practices, such as two‑factor authentication, to reduce the chance that an attacker can exploit unused privileged sessions

Generated by OpenCVE AI on May 1, 2026 at 04:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7970 Cross-Site Request Forgery (CSRF) vulnerability in WPShop.ru CallPhone'r allows Stored XSS. This issue affects CallPhone'r: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WPShop.ru CallPhone'r allows Stored XSS. This issue affects CallPhone'r: from n/a through 1.1.1. Cross-Site Request Forgery (CSRF) vulnerability in WPShop.ru CallPhone'r callphoner allows Stored XSS.This issue affects CallPhone'r: from n/a through <= 1.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WPShop.ru CallPhone'r allows Stored XSS. This issue affects CallPhone'r: from n/a through 1.1.1.
Title WordPress CallPhone'r plugin <= 1.1.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:53.820Z

Reserved: 2025-03-24T12:59:58.192Z

Link: CVE-2025-30550

cve-icon Vulnrichment

Updated: 2025-03-24T14:50:14.369Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:24.117

Modified: 2026-04-23T15:26:50.897

Link: CVE-2025-30550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:45:08Z

Weaknesses