WP-Safety

Called.in Click To Call Plugin Security & Risk Analysis

wordpress.org/plugins/wp-click-to-call-calledin

Called Click to call plugin allows you to easily issue a clickToCall service between two phone numbers.

10 active installs v1.0 PHP + WP 3.0.1+ Updated Sep 5, 2014
automated-callingautomatic-callingclick-to-callclicktocallcloud-calling
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Called.in Click To Call Plugin Safe to Use in 2026?

Generally Safe

Score 85/100

Called.in Click To Call Plugin has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago
Risk Assessment

The wp-click-to-call-calledin v1.0 plugin exhibits a generally good security posture in several key areas. Notably, there are no recorded CVEs, and the plugin does not utilize dangerous functions or perform direct file operations. Its SQL queries are all secured with prepared statements, and there are no reported vulnerabilities in its history, suggesting a history of stable and secure development.

However, the static analysis reveals some significant concerns. The low percentage of properly escaped output (5%) indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data is likely being rendered directly to the browser without sufficient sanitization. While there's only one shortcode identified as an entry point, the lack of explicit nonce checks on this entry point, despite the presence of one capability check, raises questions about its overall authorization and could potentially lead to unauthorized actions if the shortcode is susceptible to manipulation. The single external HTTP request also warrants careful scrutiny, though without further context, its potential risk is unclear. The absence of any reported taint analysis issues is positive, but it does not negate the identified output escaping deficiencies.

In conclusion, while the plugin has a clean vulnerability history and good practices in database interactions and the avoidance of dangerous functions, the poor output escaping and potential lack of robust authorization on its shortcode entry point represent notable weaknesses. Addressing the XSS risks and strengthening the security around the shortcode's execution should be a priority to improve its overall security.

Key Concerns

  • Low percentage of properly escaped output
  • Missing nonce checks on entry points
Vulnerabilities
None known

Called.in Click To Call Plugin Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Called.in Click To Call Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
19
1 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
1
Bundled Libraries
0

Output Escaping

5% escaped20 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<back-end> (back-end.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Called.in Click To Call Plugin Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[called] called.php:101
WordPress Hooks 3
actionadmin_menucalled.php:19
actionwp_footercalled.php:102
actionwidgets_initcalled.php:161
Maintenance & Trust

Called.in Click To Call Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38
Last updatedSep 5, 2014
PHP min version
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Called.in Click To Call Plugin Alternatives

Toky Click To Call

Toky Click To Call

toky-click-to-call

A
85

Add a call button to your website to let your visitors and customers call you with a single click without leaving their browsers

10 No CVEs
Easy Caller with Mocean

Easy Caller with Mocean

easy-caller-with-moceanapi

A
85

Easy Caller uses Mocean Voice API to connect calls with you and your customers both easily and efficiently.

0 No CVEs
Call Now Button – The #1 Click to Call Button for WordPress

Call Now Button – The #1 Click to Call Button for WordPress

call-now-button

A
95

The web's #1 click to call button for your website! A simple and powerful plugin that adds a Call Now Button to your website.

200K 5 CVEs
Really Simple Click To Call Bar

Really Simple Click To Call Bar

really-simple-click-to-call

A
85

A simple plugin that adds a click to call bar/call now button for mobile visitors.

8K No CVEs
Floating Click to Contact Buttons

Floating Click to Contact Buttons

floating-click-to-contact-buttons

A
85

Tạo các nút gọi, nút chat Zalo, nút Chat messenger, nút để lại thông tin để tư vấn, nút chỉ đường. Trình bày các nút đẹp mắt ở góc phải dưới màn hình, &hellip;

2K No CVEs
Developer Profile

Called.in Click To Call Plugin Developer Profile

Ronak Dave

2 plugins · 20 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Called.in Click To Call Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-click-to-call-calledin/clicked.php

HTML / DOM Fingerprints

CSS Classes
ctcform
Data Attributes
id="to-number"id="clicktocall"id="show-this"id="show"
JS Globals
XMLHttpRequestActiveXObjectCalled_in_Widget
Shortcode Output
<form id="ctcform" method="post" action="" > <input type="text" name="to-number" id="to-number" > <input type="submit" id="clicktocall" name="submit" value="Call" > </form> <div id="show-this" style="display:none;" >... Your call is in progress please wait for a while</div> <div id="show" style="display: none">Get the value back here</div>
FAQ

Frequently Asked Questions about Called.in Click To Call Plugin