Skip to main content

Chathelp Click To Chat Button Woocommerce Chat To Order Floating Chat Form

1 CVEs product

Monthly

CVE-2026-15759 MEDIUM This Month

Stored Cross-Site Scripting in the ChatHelp plugin for WordPress (versions through 3.5.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'number' and 'group' shortcode attributes, which execute in victims' browsers on page load. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode rendering layer, identified across multiple source files in CustomButtonsTemplates.php and CustomShortcode.php. No public exploit code has been identified at time of analysis, and the plugin is not listed in CISA KEV; however, Wordfence has published a threat intelligence entry and a patch changeset exists in the WordPress plugin repository.

WordPress XSS Chathelp Click To Chat Button Woocommerce Chat To Order Floating Chat Form
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the ChatHelp plugin for WordPress (versions through 3.5.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'number' and 'group' shortcode attributes, which execute in victims' browsers on page load. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode rendering layer, identified across multiple source files in CustomButtonsTemplates.php and CustomShortcode.php. No public exploit code has been identified at time of analysis, and the plugin is not listed in CISA KEV; however, Wordfence has published a threat intelligence entry and a patch changeset exists in the WordPress plugin repository.

WordPress XSS Chathelp Click To Chat Button Woocommerce Chat To Order Floating Chat Form
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy