Does Click to Chat – HoliThemes have any unpatched vulnerabilities?

No. All known vulnerabilities in Click to Chat – HoliThemes have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Click to Chat – HoliThemes compatible with WordPress 6.9.4?

According to WordPress.org data, Click to Chat – HoliThemes 4.38 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Click to Chat – HoliThemes compatible with PHP 5.6+?

Click to Chat – HoliThemes requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Click to Chat – HoliThemes updated?

Click to Chat – HoliThemes was last updated on Mar 12, 2026. Frequent updates are generally a positive security signal.

What is Click to Chat – HoliThemes's security score?

Click to Chat – HoliThemes has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Click to Chat – HoliThemes Security & Risk Analysis

wordpress.org/plugins/click-to-chat-for-whatsapp

WhatsApp Chat🔥. Let's make your Web page visitors contact you through 'WhatsApp', 'WhatsApp Business'. Add matching Widget✅

700K active installs v4.38 PHP 5.6+ WP 4.7+ Updated Mar 12, 2026

click-to-chatwhatsappwhatsapp-businesswhatsapp-chatwoocommerce-whatsapp

A · Safe

CVEs total3

Unpatched0

Last CVEJun 13, 2025

Plugin page Download

Safety Verdict

Is Click to Chat – HoliThemes Safe to Use in 2026?

Generally Safe

Score 96/100

Click to Chat – HoliThemes has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jun 13, 2025Updated 22d ago

Risk Assessment

The plugin "click-to-chat-for-whatsapp" v4.38 exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization (100% prepared statements) and a high percentage of properly escaped output (99%), there are significant concerns regarding its attack surface and vulnerability history. The presence of unprotected AJAX handlers and REST API routes represents direct entry points that could be exploited without proper authentication or authorization. The static analysis also flags the use of a dangerous function ('preg_replace(/e)'), which, while not directly exploited in a taint flow in this analysis, historically has been a source of vulnerabilities such as Remote File Inclusion and Cross-Site Scripting.

The vulnerability history reveals a past pattern of high-severity issues, including High severity Cross-Site Scripting and Remote File Inclusion. The fact that there are no currently unpatched CVEs is positive, but the existence of three past vulnerabilities, with one being high severity, suggests a recurring tendency towards exploitable flaws. This historical context, combined with the identified unprotected entry points and dangerous function usage, indicates that while the current version might not have unpatched critical vulnerabilities, the potential for new ones to emerge remains.

In conclusion, the plugin has strengths in core security practices like prepared statements and output escaping. However, these are overshadowed by significant weaknesses in its attack surface management and a history of high-severity vulnerabilities. The unprotected entry points, the presence of a known dangerous function, and past vulnerability trends necessitate careful monitoring and potentially further auditing to ensure ongoing security.

Key Concerns

2 unprotected REST API routes
2 unprotected AJAX handlers
1 historical high severity CVE
2 historical medium severity CVEs
Use of dangerous function (preg_replace(/e))

Vulnerabilities

Click to Chat – HoliThemes Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-5336medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Click to Chat <= 4.22 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via data-no_number Parameter

Jun 13, 2025 Patched in 4.23 (1d)

CVE-2024-3849high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Click to Chat – HoliThemes <= 3.35 - Authenticated (Contributor+) Local File Inclusion

Apr 17, 2024 Patched in 4.0 (16d)

CVE-2022-4480medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Click to Chat <= 3.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 21, 2022 Patched in 3.18.1 (398d)

Code Analysis

Analyzed Mar 16, 2026

Click to Chat – HoliThemes Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

2618 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

preg_replace(/e)preg_replace( '/enew\inc\commons\class-ht-ctc-scripts.php:144

SQL Query Safety

100% prepared6 total queries

Output Escaping

99% escaped2637 total outputs

Attack Surface

2 unprotected

Click to Chat – HoliThemes Attack Surface

Entry Points7

Unprotected2

AJAX Handlers 2

authwp_ajax_ht_ctc_admin_dismiss_noticesnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:41

authwp_ajax_ht_ctc_deactivate_feedback_detailsnew\admin\feedback\class-ht-ctc-admin-deactivate-feedback.php:44

REST API Routes 2

GET/wp-json/click-to-chat-for-whatsapp/v1/get_ht_ctc_chat_varnew\inc\api\class-ht-ctc-rest-api.php:46

GET/wp-json/click-to-chat-for-whatsapp/v1/get_ht_ctc_variablesnew\inc\api\class-ht-ctc-rest-api.php:56

Shortcodes 3

[ht-ctc-chat] new\inc\chat\class-ht-ctc-chat-shortcode.php:29

[ht-ctc-group] new\inc\group\class-ht-ctc-group-shortcode.php:30

[ht-ctc-share] new\inc\share\class-ht-ctc-share-shortcode.php:30

WordPress Hooks 73

actionload-toplevel_page_click-to-chatnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:52

actionload-click-to-chat_page_click-to-chat-customize-stylesnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:53

actionload-click-to-chat_page_click-to-chat-greetingsnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:54

actionload-click-to-chat_page_click-to-chat-other-settingsnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:55

actionload-click-to-chat_page_click-to-chat-woocommercenew\admin\admin_commons\class-ht-ctc-admin-hooks.php:56

actionht_ctc_ah_admin_scripts_startnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:58

actionht_ctc_ah_admin_scripts_start_woo_pagenew\admin\admin_commons\class-ht-ctc-admin-hooks.php:59

actionht_ctc_ah_admin_after_sanitizenew\admin\admin_commons\class-ht-ctc-admin-hooks.php:65

actionupdate_option_ht_ctc_admin_pagesnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:68

actionupdate_option_ht_ctc_cs_optionsnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:70

actionupdate_option_ht_ctc_greetings_settingsnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:72

actionadmin_noticesnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:145

actionadmin_noticesnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:157

actionadmin_noticesnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:168

actionadmin_noticesnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:196

actionadmin_footernew\admin\admin_commons\class-ht-ctc-admin-hooks.php:203

actionwp_print_scriptsnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:431

actionadmin_enqueue_scriptsnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:437

actionwp_print_scriptsnew\admin\admin_commons\class-ht-ctc-admin-hooks.php:449

actionadd_meta_boxesnew\admin\admin_commons\class-ht-ctc-metabox.php:45

actionsave_postnew\admin\admin_commons\class-ht-ctc-metabox.php:47

actionadmin_footernew\admin\admin_demo\class-ht-ctc-admin-demo.php:145

actionadmin_enqueue_scriptsnew\admin\admin_demo\class-ht-ctc-admin-demo.php:148

actionadmin_footernew\admin\admin_demo\class-ht-ctc-admin-demo.php:151

actionadmin_menunew\admin\class-ht-ctc-admin-customize-styles.php:1771

actionadmin_initnew\admin\class-ht-ctc-admin-customize-styles.php:1772

actionadmin_menunew\admin\class-ht-ctc-admin-greetings-page.php:44

actionadmin_initnew\admin\class-ht-ctc-admin-greetings-page.php:72

actionadmin_menunew\admin\class-ht-ctc-admin-group-page.php:243

actionadmin_initnew\admin\class-ht-ctc-admin-group-page.php:244

actionadmin_menunew\admin\class-ht-ctc-admin-main-page.php:663

actionadmin_initnew\admin\class-ht-ctc-admin-main-page.php:664

actionadmin_menunew\admin\class-ht-ctc-admin-other-settings.php:1506

actionadmin_initnew\admin\class-ht-ctc-admin-other-settings.php:1507

actionadmin_enqueue_scriptsnew\admin\class-ht-ctc-admin-scripts.php:40

actionadmin_menunew\admin\class-ht-ctc-admin-share-page.php:291

actionadmin_initnew\admin\class-ht-ctc-admin-share-page.php:292

filtermce_buttons_2new\admin\components\editor.php:72

filtermce_buttons_2new\admin\components\editor_lite.php:40

actionadmin_footernew\admin\feedback\class-ht-ctc-admin-deactivate-feedback.php:53

actionadmin_enqueue_scriptsnew\admin\feedback\class-ht-ctc-admin-deactivate-feedback.php:54

actioninitnew\class-ht-ctc.php:118

filterwidget_textnew\class-ht-ctc.php:121

actionplugins_loadednew\class-ht-ctc.php:127

actionrest_api_initnew\inc\api\class-ht-ctc-rest-api.php:34

actioninitnew\inc\chat\class-ht-ctc-chat-shortcode.php:262

actionht_ctc_ah_before_fixed_positionnew\inc\commons\class-ht-ctc-hooks.php:55

actionht_ctc_ah_before_fixed_positionnew\inc\commons\class-ht-ctc-hooks.php:56

filterht_ctc_fh_chatnew\inc\commons\class-ht-ctc-hooks.php:59

filterht_ctc_fh_load_app_js_bottomnew\inc\commons\class-ht-ctc-hooks.php:60

filterht_ctc_fh_osnew\inc\commons\class-ht-ctc-hooks.php:63

actionwp_enqueue_scriptsnew\inc\commons\class-ht-ctc-scripts.php:35

actionht_ctc_ah_in_fixed_positionnew\inc\greetings\class-ht-ctc-chat-greetings.php:33

actioninitnew\inc\group\class-ht-ctc-group-shortcode.php:196

actionwp_footernew\inc\group\class-ht-ctc-group.php:179

actioninitnew\inc\share\class-ht-ctc-share-shortcode.php:214

actionwp_footernew\inc\share\class-ht-ctc-share.php:197

filterht_ctc_fh_chatnew\tools\woo\class-ht-ctc-woo.php:39

actionwoocommerce_after_shop_loop_itemnew\tools\woo\class-ht-ctc-woo.php:49

actionht_ctc_ah_admin_includes_after_main_pagenew\tools\woo\ht-ctc-woo.php:38

actionadmin_menunew\tools\woo\woo-admin\class-ht-ctc-admin-woo-page.php:32

actionadmin_initnew\tools\woo\woo-admin\class-ht-ctc-admin-woo-page.php:33

actionadmin_enqueue_scriptsprev\admin\class-ccw-add-styles-scripts-admin.php:39

actionadmin_menuprev\admin\class-ccw-admin-menu.php:69

actionadmin_menuprev\admin\class-ccw-admin-menu.php:71

actionadmin_initprev\admin\class-ccw-admin-page-customize-styles.php:807

actionadmin_initprev\admin\class-ccw-admin-page.php:637

actionwp_enqueue_scriptsprev\inc\class-ccw-add-styles-scripts.php:67

actioninitprev\inc\class-ccw-shortcode.php:314

actionwp_footerprev\inc\class-ht-ccw-chat.php:35

actioninitprev\inc\class-ht-ccw.php:146

filterwidget_textprev\inc\class-ht-ccw.php:150

actionplugins_loadedprev\inc\class-ht-ccw.php:158

Maintenance & Trust

Click to Chat – HoliThemes Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version5.6

Downloads19.4M

Community Trust

Rating96/100

Number of ratings132

Active installs700K

Alternatives

Click to Chat – HoliThemes Alternatives

Social Chat – Click To Chat App Button

wp-whatsapp-chat

100

WhatsApp Chat🔥 allows you to enhance customer engagement! Integrate "WhatsApp" or "WhatsApp Business" with a single click.

200K 1 CVE

WP Chat App

wp-whatsapp

Integrate WhatsApp experience directly into your WordPress website.

100K 6 CVEs

Contact Form to Chat Apps | Click to Chat to Order – FormyChat

social-contact-form

100

Connect contact forms and WooCommerce to WhatsApp by live click to chat. Send form data to WhatsApp Business for instant customer engagement

3K No CVEs

ChatHelp – Click to Chat Button, Chat to Order, Floating Chat & Form

chat-help

Add WhatsApp click to chat with floating chat button, chat to order for WooCommerce, and chat forms to convert visitors into customers.

1K 2 CVEs

Watso – Basic Help Chat Button

watso-basic-chat

100

Lightweight and blazing-fast WhatsApp chat button for WordPress with full customization, UTM tracking, multi-agent support, and scheduling.

100 No CVEs

Developer Profile

Click to Chat – HoliThemes Developer Profile

HoliThemes

1 plugin · 700K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

138 days

View full developer profile

Detection Fingerprints

How We Detect Click to Chat – HoliThemes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/click-to-chat-for-whatsapp/new/admin/admin_demo/admin-demo.js/wp-content/plugins/click-to-chat-for-whatsapp/new/admin/admin_demo/admin-demo.css/wp-content/plugins/click-to-chat-for-whatsapp/new/admin/admin_demo/admin-demo-animations.css

Script Paths

new/admin/admin_demo/admin-demo.js

Version Parameters

click-to-chat-for-whatsapp/new/admin/admin_demo/admin-demo.js?ver=click-to-chat-for-whatsapp/new/admin/admin_demo/admin-demo.css?ver=click-to-chat-for-whatsapp/new/admin/admin_demo/admin-demo-animations.css?ver=

HTML / DOM Fingerprints

CSS Classes

ctc_no_democtc_demo_stylectc_ad_main_page_on_change_stylectc_ad_main_page_on_change_inputctc_ad_main_page_on_change_input_update_varctc_demo_positionctc_an_demo_btnctc_ee_demo_btn+3 more

HTML Comments

click to chatclass names added to settings pages for demo purpose:direct class names used for demo:check if admin demo is active.. (added inside to run only in ctc admin pages..)+2 more

Data Attributes

data-update-typedata-update-type-2data-update-selector

JS Globals

ht_ctc_admin_demo_activeht_ctc_chat_optionsht_ctc_othersettings

FAQ