MEDIUM 6.4

CVE-2026-7795: Click to Chat WA Widget WordPress Plugin Stored XSS Vulnerability (v4.38)

The Click to Chat – WA Widget plugin for WordPress contains a flaw that allows authenticated users with basic contributor permissions to inject malicious code into pages. When someone clicks the WhatsApp chat button on an affected site, the injected code executes in their browser. The vulnerability stems from improper handling of a shortcode parameter: the plugin escapes user input in a way that works for HTML attributes, but that escaping is later decoded by browsers when the value appears inside a JavaScript function call within an event handler. This creates a window for attackers to break out of the intended string context and run arbitrary JavaScript.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the ' entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7795 is a Stored Cross-Site Scripting (XSS) vulnerability in the Click to Chat – WA Widget plugin versions up to 4.38. The vulnerability exists in the CCW_Shortcode::shortcode() function, which processes the [chat] shortcode's 'num' parameter. The function applies esc_attr() to escape the parameter for HTML attribute context (converting single quotes to '), but this escaped value is then directly interpolated into a JavaScript window.open() call string delimited by single quotes. This composed string is subsequently placed verbatim into HTML onclick event-handler attributes in style template files. The flaw occurs because browsers HTML-decode event attribute values before executing embedded JavaScript, causing the HTML entities to be decoded back to literal quote characters at runtime. An attacker can exploit this double-layer processing to inject arbitrary JavaScript that breaks out of the string context and executes with the privileges of the logged-in user.

Business impact

This vulnerability enables low-privileged authenticated attackers (Contributor level and above) to persistently inject malicious scripts into pages containing the WhatsApp widget. When visitors interact with the chat button, the injected code executes in their browsers, potentially enabling credential theft, session hijacking, defacement, malware distribution, or redirection to phishing sites. Organizations relying on the Click to Chat plugin for customer engagement face reputational risk and potential customer data exposure. The attack requires no user interaction beyond the normal click-to-chat action, making it particularly dangerous in high-traffic scenarios.

Affected systems

The Click to Chat – WA Widget plugin for WordPress in all versions up to and including 4.38 is affected. Organizations using this plugin to embed WhatsApp messaging functionality on their WordPress sites are at risk. The vulnerability requires that an attacker have at least Contributor-level access to the WordPress installation, meaning the exposure is limited to environments where such accounts are provisioned. However, in multi-author or agency-managed WordPress setups, this permission level may be more widely distributed than assumed.

Exploitability

The vulnerability is moderately exploitable. While it requires authenticated access at the Contributor level or above, many WordPress installations grant such permissions to content creators, guest authors, or agency contractors. No special technical skills are needed beyond crafting a malicious shortcode attribute; the injection point is straightforward and does not require bypassing additional security controls. Once injected via the shortcode, the malicious script persists in the page and executes for all visitors, making it a high-impact attack with low execution complexity. The CVSS 3.1 score of 6.4 (MEDIUM severity) reflects the requirement for authenticated access and the lack of availability impact, but acknowledges the combination of integrity and confidentiality risk across site scope.

Remediation

Upgrade the Click to Chat – WA Widget plugin to a patched version that properly escapes or sanitizes the 'num' parameter for JavaScript string contexts. Verify the fix in the vendor's advisory to ensure the escaping mechanism accounts for both HTML and JavaScript decoding layers. In the interim, restrict Contributor-level access to only trusted team members, audit existing posts and pages containing the [chat] shortcode for injected payloads, and consider disabling the plugin if it is not actively needed. Review user access logs for any unauthorized shortcode insertions or edits to pages containing the widget.

Patch guidance

Check the plugin vendor's advisory and release notes for a patched version that addresses the escaping issue. The fix should either apply context-aware encoding that survives both HTML and JavaScript decoding, or refactor the code to avoid interpolating user input into JavaScript string literals within event handlers. After updating, test the WhatsApp chat functionality across multiple browsers to confirm the widget still operates correctly. Verify that any payloads matching the vulnerability pattern no longer execute by reviewing browser developer console output or injecting test patterns.

Detection guidance

Monitor the WordPress plugin directory and vendor release notes for security updates to Click to Chat – WA Widget. Audit the [chat] shortcode usage across all published posts and pages using WordPress plugin activity logs or database queries (search postmeta or post_content for shortcode instances). Examine any user edits made by Contributor-level accounts to pages containing the shortcode, particularly changes made around the 'num' parameter or surrounding attributes. Implement Web Application Firewall (WAF) rules to detect common XSS payloads in shortcode attributes, and monitor browser console errors for signs of injected JavaScript. In WordPress, enable and review security audit logs for any modifications to plugin files or post metadata.

Why prioritize this

While the CVSS score is MEDIUM (6.4), prioritize this vulnerability in mixed-access WordPress environments. The stored nature of the XSS, combined with the low bar to entry (Contributor permissions), means that a single compromised or malicious user account can silently inject code affecting all site visitors. This is particularly critical for e-commerce, SaaS, and agency-hosted WordPress sites where Contributor accounts are common. Organizations with strict access controls limiting Contributor permissions to a small, trusted team may deprioritize slightly, but should still patch promptly.

Risk score, explained

The CVSS 3.1 score of 6.4 reflects a MEDIUM-severity vulnerability. The score incorporates: (1) Network-accessible attack vector (AV:N), (2) Low attack complexity with no special conditions required (AC:L), (3) Requirement for low-privilege authenticated access (PR:L), (4) No user interaction needed from the attacker's perspective (UI:N), (5) Changed scope—the vulnerability can affect resources beyond the vulnerable component (S:C), and (6) Low confidentiality and integrity impact (C:L, I:L) with no availability impact (A:N). The score does not account for prevalence of plugin installations or the ease with which Contributor accounts may be provisioned in real-world WordPress deployments.

Frequently asked questions

Does this vulnerability require an attacker to have administrator access?

No. The vulnerability can be exploited by any authenticated user with Contributor-level access or above. Contributor is one of the lower permission tiers in WordPress and may be assigned to content creators, guest authors, or agency partners, making exploitation more likely than a typical authenticated XSS that requires admin privileges.

Can the malicious payload be injected by unauthenticated users?

No. The vulnerability requires authentication to WordPress at least at the Contributor level. Unauthenticated visitors cannot directly inject the payload, but once injected, they will be affected when they view the page and interact with the WhatsApp chat button.

Is there a temporary workaround if I cannot update immediately?

Yes. Restrict Contributor-level access to a minimal set of trusted users, audit all existing [chat] shortcodes for suspicious 'num' parameter values, and consider temporarily disabling the plugin or hiding the WhatsApp widget if it is not critical to operations. However, updating to a patched version is the only permanent fix.

How can I tell if my site has been exploited?

Search your WordPress post and page content for [chat] shortcodes with unusual 'num' parameter values that include JavaScript-like syntax or encoded characters. Review security logs for unauthorized edits to posts containing the shortcode. Check browser developer console output when viewing pages with the widget for any JavaScript errors or unexpected script execution. Use security scanning plugins to detect reflected or stored XSS patterns.

This analysis is provided for informational purposes and reflects the state of vulnerability data as of the publication date. SEC.co does not provide formal security advice, warranty, or indemnification. Patch availability, version numbering, and vendor timelines are subject to change; consult official vendor advisories for definitive remediation guidance. Organizations should conduct their own risk assessments and testing before applying patches in production environments. The absence of a vulnerability from CISA's Known Exploited Vulnerabilities (KEV) catalog does not guarantee the absence of active exploitation; proof-of-concept code or active attacks may exist outside public channels. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).