The vulnerability is a DOM‑based cross‑site scripting flaw in the Elfsight WhatsApp Chat CC WordPress plugin. Unsanitized user input that the widget processes can be injected into the page, allowing an attacker to execute arbitrary JavaScript in the browsers of visitors who load the compromised page. This weakness can lead to session hijacking, data theft or defacement of the site, compromising confidentiality, integrity, and availability from a client perspective. The weakness is listed as CWE‑79, which identifies improper neutralisation of input during web page generation.

The flaw affects the Elfsight WhatsApp Chat CC WordPress plugin from any version through 1.2.0. Users running the plugin in this version range, regardless of their WordPress installation language or hosting environment, are potentially exposed.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests that exploit usage is currently very low. The vulnerability is not currently in the CISA KEV catalog. The likely attack vector is through a web page that includes the widget; an attacker must convince a visitor to load a crafted URL or page that feeds malicious input into the widget. Because the flaw is DOM‑based it does not require a server‑side coding error, however an attacker must be able to deliver a script to the client; therefore the impact is limited to users who access the affected site without additional browser security controls.