CVE-2026-7795: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in holithemes Click to Chat – HoliThemes
The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the ' entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.
AI Analysis
Technical Summary
The Click to Chat – WA Widget WordPress plugin contains a stored XSS vulnerability via the 'num' parameter of its [chat] shortcode. The plugin applies esc_attr() to the parameter, converting single quotes to the HTML entity ', but this entity is decoded back to a literal single quote by browsers when executing JavaScript in HTML onclick attributes. This allows an attacker with Contributor-level privileges or higher to inject JavaScript that executes when users click the WhatsApp chat button. The vulnerability stems from insufficient escaping of user-supplied shortcode attributes embedded inside JavaScript string literals within HTML event handlers. This affects all versions up to 4.38. There is no vendor advisory or patch available at this time.
Potential Impact
An authenticated attacker with Contributor-level or higher privileges can inject arbitrary JavaScript code into pages via the vulnerable shortcode parameter. This code executes in the context of users who click the WhatsApp chat button, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability does not require user interaction beyond clicking the chat button and does not impact availability. The CVSS score of 6.4 reflects a medium severity with low attack complexity, requiring privileges, and no user interaction beyond clicking.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting Contributor-level access or higher to trusted users only. Avoid using the vulnerable shortcode or disable the Click to Chat plugin if possible. Monitor for updates from HoliThemes regarding patches or mitigations.
CVE-2026-7795: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in holithemes Click to Chat – HoliThemes
Description
The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the ' entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.
CVSS v3.1
Score 6.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Click to Chat – WA Widget WordPress plugin contains a stored XSS vulnerability via the 'num' parameter of its [chat] shortcode. The plugin applies esc_attr() to the parameter, converting single quotes to the HTML entity ', but this entity is decoded back to a literal single quote by browsers when executing JavaScript in HTML onclick attributes. This allows an attacker with Contributor-level privileges or higher to inject JavaScript that executes when users click the WhatsApp chat button. The vulnerability stems from insufficient escaping of user-supplied shortcode attributes embedded inside JavaScript string literals within HTML event handlers. This affects all versions up to 4.38. There is no vendor advisory or patch available at this time.
Potential Impact
An authenticated attacker with Contributor-level or higher privileges can inject arbitrary JavaScript code into pages via the vulnerable shortcode parameter. This code executes in the context of users who click the WhatsApp chat button, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability does not require user interaction beyond clicking the chat button and does not impact availability. The CVSS score of 6.4 reflects a medium severity with low attack complexity, requiring privileges, and no user interaction beyond clicking.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting Contributor-level access or higher to trusted users only. Avoid using the vulnerable shortcode or disable the Click to Chat plugin if possible. Monitor for updates from HoliThemes regarding patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-04T19:03:00.750Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a23950fe29bf47b5005f837
Added to database: 6/6/2026, 3:33:35 AM
Last enriched: 6/6/2026, 3:48:53 AM
Last updated: 6/7/2026, 4:26:14 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.