CVE-2026-15759 in ChatHelp Plugininfo

Summary

by MITRE • 07/17/2026

The ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/17/2026

The ChatHelp plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects versions 3.5.1 and earlier, creating a significant security risk for WordPress sites utilizing this commerce-focused solution. This vulnerability specifically targets the plugin's shortcode attributes 'number' and 'group' which are processed without adequate input sanitization measures, allowing malicious code injection into the plugin's configuration parameters. The flaw exists within the plugin's handling of user-supplied data through shortcode processing mechanisms that fail to properly validate or escape input values before storing them in the WordPress database.

The technical implementation of this vulnerability stems from inadequate security controls within the plugin's shortcode attribute processing logic, which directly translates user-provided values into stored content without proper sanitization procedures. When authenticated users with contributor-level access or higher submit shortcode parameters containing malicious scripts through the 'number' and 'group' attributes, these inputs are persisted in the WordPress database and subsequently executed whenever affected pages are rendered to any user who accesses them. This represents a classic stored XSS vulnerability where the malicious payload is stored server-side rather than being reflected in response headers or URL parameters.

The operational impact of this vulnerability extends beyond simple script execution as it creates persistent attack vectors that can compromise user sessions, steal sensitive information, and potentially facilitate further exploitation within the compromised WordPress environment. Attackers leveraging this vulnerability can craft malicious shortcodes that inject malicious JavaScript code which executes in the context of other users' browsers, enabling session hijacking, credential theft, or redirection to malicious sites. The vulnerability's accessibility through contributor-level privileges makes it particularly concerning as it requires minimal escalation effort and can affect any site administrator who fails to monitor user permissions effectively. This flaw directly aligns with CWE-79 which defines cross-site scripting vulnerabilities where untrusted data is improperly handled in web applications.

Mitigation strategies for this vulnerability include immediate plugin updates to versions that address the sanitization issues, implementing strict input validation for all shortcode parameters, and establishing robust output escaping mechanisms for stored content. Site administrators should also consider implementing role-based access controls to limit contributor-level privileges to only essential functions, while monitoring user activities for suspicious shortcode modifications. Additional protective measures may include deploying web application firewalls that can detect and block malicious script patterns in HTTP requests, as well as regular security audits of plugin configurations and user permissions. The vulnerability demonstrates the importance of following security best practices such as those outlined in the OWASP Top Ten and MITRE ATT&CK framework for web application security, particularly in relation to input validation and output encoding controls that prevent malicious code execution in web environments.

Responsible

Wordfence

Reservation

07/14/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!