Reflected Cross-Site Scripting in Zingaya Click-to-Call Plugin for WordPress
CVE-2026-6696

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Zingaya Click-to-call
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-6696?

The Zingaya Click-to-Call plugin for WordPress is susceptible to Reflected Cross-Site Scripting (XSS) vulnerabilities. The issue arises from inadequate input sanitization and output escaping related to the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page. This vulnerability permits unauthenticated attackers to inject malicious web scripts into pages viewed by users, potentially misleading them into executing actions by clicking on deceptive links. Immediate attention is necessary to mitigate risks associated with this vulnerability.

Affected Version(s)

Zingaya Click-to-Call 0 <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/zingaya-click-to-call/

https://plugins.trac.wordpress.org/browser/zingaya-click-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Julian Chibuike Nwadinobi

CVE-2026-6696 Data

JSON