IT security company High-Tech Bridge issued a security advisory on Wednesday for two reflected cross-site scripting (XSS) vulnerabilities in the Calls to Action WordPress plugin.
The plugin creates a free lead generation system on a WordPress site and allows users to monitor and track conversion rates and to run A/B or multivariate split tests on calls to action. High-Tech Bridge said more details would be available later this month, on October 28, but it rated the risk level “medium.”
In an email to SCMagazine.com, the company clarified that the vulnerabilities could allow for the execution of code and open back doors into more than 10,000 WordPress websites. Once in, hackers could exploit and steal personal data.
The company believes versions 2.4.3 and prior are exploitable through this attack. The plugin developer was notified of the findings.