CVE-2026-15291 in ChatHelp Plugin
Summary
by MITRE • 07/10/2026
The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}. This is due to the plugin not performing any authentication and authorization checks. This makes it possible for unauthenticated attackers to extract sensitive data including customer names, email addresses, phone numbers, WhatsApp messages, complete geolocation data (IP addresses, city, country, ISP, coordinates), device fingerprinting information (browser, OS, screen resolution), and WordPress account credentials (user IDs, usernames, emails, names) for logged-in users who submit forms.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The Chat Help plugin for WordPress presents a critical security vulnerability through its REST API endpoints that exposes sensitive user data without proper authentication mechanisms. This vulnerability affects all versions up to and including 313, creating an unprecedented risk for WordPress sites that utilize this plugin. The exposed endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id} serve as attack vectors that allow malicious actors to access comprehensive customer information through unauthenticated requests. The flaw stems from the plugin's complete absence of authorization controls, which violates fundamental security principles and creates a direct pathway for data exfiltration.
The technical nature of this vulnerability places it squarely within the scope of CWE-284 Access Control Issues, specifically addressing insufficient authorization mechanisms that permit unauthorized access to protected resources. This weakness enables attackers to exploit the REST API endpoints as described in the attack pattern catalog under ATT&CK technique T1071.004 Application Layer Protocol: DNS, where the exploitation occurs through legitimate application interfaces. The vulnerability's design flaw allows for complete data enumeration without requiring any valid credentials or session tokens, making it particularly dangerous for organizations that rely on WordPress forms for customer engagement and lead collection.
The operational impact of this exposure extends far beyond simple data leakage, as the compromised information includes highly sensitive personal identifiers and system access credentials. Attackers can extract complete customer profiles containing names, email addresses, phone numbers, and WhatsApp message histories, which constitutes a significant privacy breach under various regulatory frameworks including gdpr and ccpa. The inclusion of geolocation data such as IP addresses, city, country, ISP information, and geographic coordinates creates additional risks for location-based attacks and surveillance activities. Device fingerprinting information including browser type, operating system details, and screen resolution provides attackers with comprehensive user behavior patterns that can be leveraged for advanced persistent threat campaigns.
The exposure of WordPress account credentials represents the most severe aspect of this vulnerability, as it enables attackers to gain direct access to user accounts and potentially escalate privileges within the WordPress environment. User IDs, usernames, emails, and names combined with the exposed form data create a complete profile of authenticated users that can be used for credential stuffing attacks against other services or for privilege escalation within the WordPress installation. This vulnerability creates an attack surface that could facilitate lateral movement throughout network infrastructure and lead to broader system compromise.
Organizations should immediately implement mitigations including plugin updates to versions that address authentication requirements, implementation of rate limiting on REST API endpoints, and network-level restrictions to limit access to these vulnerable paths. The recommended approach involves deploying web application firewalls with specific rules blocking access to the affected endpoints, implementing proper authentication checks, and conducting thorough security audits of all installed plugins. Additionally, administrators should consider disabling the REST API for non-privileged users where possible and implement comprehensive monitoring of API access patterns to detect anomalous behavior that might indicate exploitation attempts.