Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elfsight Elfsight WhatsApp Chat CC elfsight-whatsapp-chat allows DOM-Based XSS.This issue affects Elfsight WhatsApp Chat CC: from n/a through <= 1.2.0.
AnalysisAI
DOM-Based cross-site scripting (XSS) in Elfsight WhatsApp Chat CC WordPress plugin versions up to 1.2.0 allows authenticated attackers with limited privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R per CVSS vector) and affects the plugin's DOM manipulation during web page generation. Real-world exploitation risk is low: EPSS score of 0.03% (8th percentile) reflects minimal demonstrated exploitation likelihood, no public proof-of-concept has been identified, and CISA SSVC assessment indicates exploitation is not yet observed and attack automation is infeasible.
Technical ContextAI
This vulnerability is a DOM-based XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Elfsight WhatsApp Chat CC plugin for WordPress. DOM-based XSS occurs when untrusted user input is processed and rendered directly into the Document Object Model without proper sanitization or output encoding, allowing attackers to execute arbitrary JavaScript in a victim's browser context. The plugin fails to neutralize user-supplied data before inserting it into the DOM during the page generation lifecycle. As a WordPress plugin (CPE indicates vendor=elfsight, product=elfsight_whatsapp_chat_cc), the vulnerability is present in the client-side component that handles WhatsApp chat widget initialization and rendering.
RemediationAI
Update the Elfsight WhatsApp Chat CC plugin to version 1.2.1 or later. Site administrators should navigate to WordPress Admin Dashboard > Plugins, locate 'Elfsight WhatsApp Chat CC', and install the available update. If automatic updates are disabled, download the latest version from the official WordPress plugin repository or Elfsight's website and install manually. No interim workarounds are available; patching is the primary remediation. For detailed vulnerability information and confirmation of patched versions, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/elfsight-whatsapp-chat/vulnerability/wordpress-elfsight-whatsapp-chat-cc-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39696.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20393
GHSA-264c-x5mq-ppr2