Skip to main content

Elfsight Whatsapp Chat Cc CVE-2026-39696

| EUVDEUVD-2026-20393 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-264c-x5mq-ppr2
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20393
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elfsight Elfsight WhatsApp Chat CC elfsight-whatsapp-chat allows DOM-Based XSS.This issue affects Elfsight WhatsApp Chat CC: from n/a through <= 1.2.0.

AnalysisAI

DOM-Based cross-site scripting (XSS) in Elfsight WhatsApp Chat CC WordPress plugin versions up to 1.2.0 allows authenticated attackers with limited privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R per CVSS vector) and affects the plugin's DOM manipulation during web page generation. Real-world exploitation risk is low: EPSS score of 0.03% (8th percentile) reflects minimal demonstrated exploitation likelihood, no public proof-of-concept has been identified, and CISA SSVC assessment indicates exploitation is not yet observed and attack automation is infeasible.

Technical ContextAI

This vulnerability is a DOM-based XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Elfsight WhatsApp Chat CC plugin for WordPress. DOM-based XSS occurs when untrusted user input is processed and rendered directly into the Document Object Model without proper sanitization or output encoding, allowing attackers to execute arbitrary JavaScript in a victim's browser context. The plugin fails to neutralize user-supplied data before inserting it into the DOM during the page generation lifecycle. As a WordPress plugin (CPE indicates vendor=elfsight, product=elfsight_whatsapp_chat_cc), the vulnerability is present in the client-side component that handles WhatsApp chat widget initialization and rendering.

RemediationAI

Update the Elfsight WhatsApp Chat CC plugin to version 1.2.1 or later. Site administrators should navigate to WordPress Admin Dashboard > Plugins, locate 'Elfsight WhatsApp Chat CC', and install the available update. If automatic updates are disabled, download the latest version from the official WordPress plugin repository or Elfsight's website and install manually. No interim workarounds are available; patching is the primary remediation. For detailed vulnerability information and confirmation of patched versions, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/elfsight-whatsapp-chat/vulnerability/wordpress-elfsight-whatsapp-chat-cc-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39696.

Share

CVE-2026-39696 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy