WhatsApp contact widgets are small from a user-experience perspective, but they sit on a sensitive boundary between public visitors, business communication flows, tracking, shortcodes, and administrator-controlled display rules. A misstep in this layer can turn a support button into a stored XSS vector, an unsafe redirect path, or a leakage point for contact and form data. Click to Chat – HoliThemes version 4.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64656, confirming that the plugin was reviewed from a secure code perspective with attention to common exploitation paths for communication and front-end widget plugins.
| Name of | Click to Chat – HoliThemes |
| Version | 4.39 |
| Active installations | 700,000+ |
| Description | WhatsApp Chat. Let’s make your Web page visitors contact you through “WhatsApp” or “WhatsApp Business” with a single click (WhatsApp Chat, Group). |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Use Click to Chat with confidence backed by the “Plugin Security Certification” (PSC). Always verify the latest plugin details and keep WordPress core and dependent components up to date. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
Click to Chat – HoliThemes lets WordPress site owners add WhatsApp and WhatsApp Business contact options to public pages with configurable styles, placement rules, pre-filled messages, shortcodes, custom elements, greetings dialogs, notification badges, and WooCommerce-oriented display behavior. The plugin supports different layouts for desktop and mobile visitors, allows administrators to convert selected elements into WhatsApp chat triggers, and can support richer interaction flows through greeting dialogs and form-style pre-chat data collection. These features matter for security because they combine wp-admin configuration screens, front-end rendering, shortcode output, dynamic message construction, and optional integration points such as analytics or webhooks. The safest implementation pattern is to keep administrator-only configuration protected, sanitize values before storage, and encode every user-visible field according to its final HTML, URL, JavaScript, or attribute context.
Security Assurance
The CleanTalk Plugin Security Certification evaluation focuses on defensive behavior for plugins that inject interactive front-end widgets into public pages. For WhatsApp contact plugins, the common abuse patterns include injecting JavaScript into widget labels, greetings, pre-filled messages, agent names, or button content; bypassing capability checks to change phone numbers or redirect targets; abusing shortcodes or custom element selectors to render attacker-controlled markup; and forcing administrators into unwanted configuration changes through CSRF. The review validates that configuration screens are protected by appropriate capability checks, that state-changing actions use nonce validation, and that output is encoded safely across links, text nodes, attributes, and dynamic widget markup. Because communication widgets may also interact with analytics, WooCommerce pages, webhooks, and visitor-submitted form data, the review pays particular attention to data minimization, safe request handling, and preventing public visitor input from becoming executable content.
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
With PSC-2026-64656, Click to Chat – HoliThemes version 4.39 demonstrates strong baseline security for the workflows that matter most in WhatsApp communication plugins: managing chat widget configuration in wp-admin, rendering public contact elements safely, and reducing injection and access-control risk across shortcodes, greetings, and page-level display rules. This certification helps site owners use WhatsApp contact features with stronger confidence that common WordPress vulnerability classes have been reviewed. As a best practice, restrict who can modify communication settings, review any dynamic text or pre-filled messages before publishing, and keep analytics or webhook integrations limited to trusted destinations.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.