Stored Cross-Site Scripting Vulnerability in Click to Chat – WA Widget Plugin for WordPress
CVE-2026-7795

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
6 June 2026

What is CVE-2026-7795?

The Click to Chat – WA Widget plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting through the '[chat]' shortcode's 'num' parameter. This issue arises from inadequate escaping of user-supplied values when incorporated into JavaScript strings within HTML attributes, enabling authenticated attackers with Contributor-level access and higher to insert malicious code. The flaw exists in all versions up to and including 4.38. When the shortcode is rendered, it can execute arbitrary scripts when a user interacts with the WhatsApp chat button, exposing users to potential attack vectors through deceptive links or harmful scripts.

Affected Version(s)

Click to Chat – HoliThemes 0 <= 4.39

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vijay
.