CVE-2026-7795 in Click to Chat Plugin
Summary
by MITRE • 06/06/2026
The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the ' entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
The Click to Chat - WA Widget plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 4.38. This vulnerability stems from inadequate input sanitization within the plugin's shortcode processing mechanism, specifically targeting the 'num' parameter of the [chat] shortcode. The flaw resides in the CCW_Shortcode::shortcode() function where the 'num' parameter undergoes only basic HTML entity encoding through esc_attr() function, which converts single quotes to the HTML entity ' but fails to properly sanitize the value for JavaScript context. The vulnerability operates through a sophisticated chain where user-supplied input flows through multiple processing stages before reaching the final execution point. When the shortcode is rendered, the encoded parameter value gets interpolated directly into JavaScript string literals that are then embedded within HTML event-handler attributes, creating an execution path that bypasses standard security measures.
The technical exploitation occurs due to the improper handling of user input within the plugin's template files, particularly in sc-style-1.php where the JavaScript string is constructed using single quote delimiters. The vulnerability manifests when the 'num' parameter value is passed through esc_attr() on line 157, which correctly converts single quotes to HTML entities, but this encoding is subsequently used within a JavaScript context without proper de-escaping. The critical flaw lies in how browsers process HTML event attributes - they automatically HTML-decode the attribute values before executing the embedded JavaScript code. This automatic decoding process converts the ' entities back to literal single quotes, effectively breaking out of the JavaScript string context and allowing malicious payloads to execute with the privileges of the victim user. The vulnerability specifically targets authenticated users with Contributor-level access or higher, making it particularly dangerous as it can be exploited by users who already have the ability to modify content on the WordPress site.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent threat vector that can affect all users who interact with the WhatsApp chat button. Attackers can inject malicious JavaScript code that executes whenever any user clicks the chat button, potentially leading to session hijacking, data theft, or further exploitation of the compromised WordPress installation. The vulnerability affects the core functionality of the plugin by allowing attackers to modify the behavior of the WhatsApp chat widget, potentially redirecting users to malicious sites or executing arbitrary commands on their behalf. This stored XSS vulnerability can be particularly insidious because the malicious code persists in the database until manually removed, continuously affecting all users who encounter the compromised shortcode. The attack vector requires minimal privileges, making it accessible to users who should not have the ability to inject malicious code into the site's frontend.
Mitigation strategies for this vulnerability should focus on immediate code-level fixes and comprehensive security hardening. The primary remediation involves implementing proper context-appropriate escaping for JavaScript contexts, ensuring that user-supplied values are properly sanitized before being inserted into JavaScript string literals. This requires using JavaScript-specific escaping functions rather than generic HTML entity encoding when dealing with JavaScript contexts. Security patches should modify the CCW_Shortcode::shortcode() function to properly escape the 'num' parameter value for JavaScript execution contexts, potentially using wp_json_encode() or similar functions that ensure proper JavaScript string escaping. Additionally, administrators should implement proper access controls and privilege management, ensuring that only trusted users have the ability to create or modify content that utilizes the vulnerable shortcode. The vulnerability aligns with CWE-79 (Cross-site Scripting) and specifically maps to ATT&CK technique T1566.001 (Phishing: Spearphishing Attachment) and T1059.007 (Command and Scripting Interpreter: JavaScript) as it enables attackers to execute malicious JavaScript through compromised user accounts and legitimate plugin functionality. Regular security auditing of WordPress plugins and maintaining up-to-date versions are essential practices to prevent exploitation of such vulnerabilities.