Stored Cross-Site Scripting Vulnerability in Click to Chat – WA Widget Plugin for WordPress
CVE-2026-7795
6.4MEDIUM
What is CVE-2026-7795?
The Click to Chat – WA Widget plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting through the '[chat]' shortcode's 'num' parameter. This issue arises from inadequate escaping of user-supplied values when incorporated into JavaScript strings within HTML attributes, enabling authenticated attackers with Contributor-level access and higher to insert malicious code. The flaw exists in all versions up to and including 4.38. When the shortcode is rendered, it can execute arbitrary scripts when a user interacts with the WhatsApp chat button, exposing users to potential attack vectors through deceptive links or harmful scripts.
Affected Version(s)
Click to Chat – HoliThemes 0 <= 4.39