Vulnerabilities and security researches forclick-to-chat-for-whatsapp click-to-chat-for-whatsapp
Direction: ascendingJun 07, 2024
Click to Chat – HoliThemes # CVE-2024-3849
- CVE, Research URL
- Home page URL
- Application
- Date
- May 02, 2024
- Research Description
- The Click to Chat – HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. This makes it possible for authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- Affected versions
-
max 4.0.
- Status
-
vulnerable
Click to Chat – HoliThemes # CVE-2022-4480
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 16, 2023
- Research Description
- The Click to Chat WordPress plugin before 3.18.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
- Affected versions
-
max 3.18.1.
- Status
-
vulnerable
Jun 15, 2025
Click to Chat – HoliThemes # CVE-2025-5336
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 14, 2025
- Research Description
- The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.23.
- Status
-
vulnerable
May 26, 2026
Click to Chat – HoliThemes # PSC-2026-64656
- PSC, Research URL
- Home page URL
- Application
- Date
- May 26, 2026
- Research Description
- WhatsApp contact widgets are small from a user-experience perspective, but they sit on a sensitive boundary between public visitors, business communication flows, tracking, shortcodes, and administrator-controlled display rules. A misstep in this layer can turn a support button into a stored XSS vector, an unsafe redirect path, or a leakage point for contact and form data. Click to Chat – HoliThemes version 4.39 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64656, confirming that the plugin was reviewed from a secure code perspective with attention to common exploitation paths for communication and front-end widget plugins.
- Affected versions
-
Min 4.40, max 4.40.
- Status
-
SAFE & CERTIFIED
Jun 07, 2026
Click to Chat – HoliThemes # CVE-2026-7795
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 06, 2026
- Research Description
- The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the ' entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.
- Affected versions
-
max 4.40.
- Status
-
vulnerable