Description
The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the ' entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.
Published: 2026-06-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient escaping of the 'num' shortcode attribute in the Click to Chat – HoliThemes WordPress plugin. The esc_attr() call converts single quotes into &#039; entities, which are decoded back into literal quotes when inserted into a JavaScript string within an HTML onclick attribute. This allows an authenticated user with Contributor or higher role to inject arbitrary JavaScript that will run when a visitor clicks the WhatsApp chat button, leading to cross‑site scripting that can steal session cookies, deface content, or perform other client‑side attacks. The flaw does not provide server‑side code execution, but it facilitates arbitrary script execution in the context of a site visitor.

Affected Systems

The affected product is the Click to Chat – HoliThemes WordPress plugin. All versions up to and including 4.38, and likely 4.39, are vulnerable. Sites running these versions should audit WordPress installations for this plugin and review the presence of [chat] shortcodes with the 'num' attribute.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower immediate threat. However, the requirement for only authenticated Contributor-level access makes the exploit feasible for site administrators or users with elevated roles. Attackers can generate payloads via the shortcode, and the bug is straightforward to exploit once the shortcodes are present. The risk is therefore moderate but actionable, and the vulnerability can be mitigated by updating the plugin or limiting user privileges.

Generated by OpenCVE AI on June 6, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Click to Chat plugin to the latest released version, which includes the XSS fix
  • Review and remove any existing [chat] shortcodes that include the 'num' parameter from posts, pages, or templates
  • Restrict the use of the [chat] shortcode and manipulation of its attributes to administrator-level users, removing Contributor or higher access when possible

Generated by OpenCVE AI on June 6, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity &#039;. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the &#039; entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.
Title Click to Chat <= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:48:08.795Z

Reserved: 2026-05-04T19:03:00.750Z

Link: CVE-2026-7795

cve-icon Vulnrichment

Updated: 2026-06-06T11:48:04.115Z

cve-icon NVD

Status : Received

Published: 2026-06-06T04:17:40.870

Modified: 2026-06-06T04:17:40.870

Link: CVE-2026-7795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T04:30:12Z

Weaknesses