Does Cnvrse have any unpatched vulnerabilities?

Yes — Cnvrse currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Cnvrse compatible with WordPress 6.9.4?

According to WordPress.org data, Cnvrse 026.02.10.20 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Cnvrse compatible with PHP 7.4+?

Cnvrse requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Cnvrse updated?

Cnvrse was last updated on Mar 2, 2026. Frequent updates are generally a positive security signal.

What is Cnvrse's security score?

Cnvrse has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Cnvrse Security & Risk Analysis

wordpress.org/plugins/cnvrse

Add live chat to WordPress in seconds. Reply from your dashboard or Telegram. No external accounts, no monthly fees, 100% privacy-focused.

0 active installs v026.02.10.20 PHP 7.4+ WP 6.1+ Updated Mar 2, 2026

chat-widgetlive-chatmessagingsupporttelegram

B · Generally Safe

CVEs total1

Unpatched1

Last CVEFeb 11, 2026

Plugin page Download

Safety Verdict

Is Cnvrse Safe to Use in 2026?

Mostly Safe

Score 78/100

Cnvrse is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Feb 11, 2026Updated 1mo ago

Risk Assessment

The cnvrse plugin v026.02.10.20 exhibits a mixed security posture. On the positive side, it demonstrates good practices by implementing nonce checks and capability checks on its identified entry points, and the vast majority of its SQL queries utilize prepared statements, which is a significant strength. However, several concerns warrant attention. The presence of the `shell_exec` function is a critical red flag, as it can be a vector for remote code execution if not handled with extreme caution and proper sanitization.

Taint analysis reveals two high-severity flows with unsanitized paths, indicating potential vulnerabilities where user-supplied data could be manipulated to affect file paths or other sensitive operations. While the overall attack surface of AJAX handlers is small and appears to be protected by checks, these taint flows suggest that the sanitization within those handlers or related functions might be insufficient. Furthermore, the plugin has a known CVE history, including a currently unpatched medium-severity vulnerability related to Authorization Bypass Through User-Controlled Key. This pattern suggests a historical weakness in how user input is validated for authorization purposes.

In conclusion, while cnvrse implements some robust security measures, the use of dangerous functions like `shell_exec`, the high-severity unsanitized taint flows, and the existing unpatched CVE point to significant areas of risk that require immediate attention and remediation.

Key Concerns

Unpatched CVE exists (medium severity)
High severity taint flows with unsanitized paths
Dangerous function detected (shell_exec)
Output escaping only 69% properly escaped
SQL queries with prepared statements < 100%

Vulnerabilities

Cnvrse Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-69394medium · 5.3Authorization Bypass Through User-Controlled Key

Cnvrse <= 026.02.10.20 - Unauthenticated Insecure Direct Object Reference

Feb 11, 2026Unpatched

Code Analysis

Analyzed Mar 17, 2026

Cnvrse Code Analysis

Dangerous Functions

Raw SQL Queries

176 prepared

Unescaped Output

132

300 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

shell_exec$repo_usage = shell_exec( "grep -r 'Cnvrse_Conversation_Repository::instance' {$plugin_dir} --includprovision\migrations\verify-migration-status.php:156

shell_exec$postmeta_calls = shell_exec( "grep -r \"get_post_meta.*'_cnvrse_\" {$plugin_dir} --include='*.php' provision\migrations\verify-migration-status.php:164

shell_exec$get_posts_calls = shell_exec( "grep -r \"get_posts.*'cnvrsation'\" {$plugin_dir} --include='*.php' provision\migrations\verify-migration-status.php:169

shell_exec$insert_calls = shell_exec( "grep -r \"wp_insert_post.*'cnvrsation'\" {$plugin_dir} --include='*.phpprovision\migrations\verify-migration-status.php:174

shell_exec$update_calls = shell_exec( "grep -r \"wp_update_post\" {$plugin_dir} --include='*.php' | grep -i cnprovision\migrations\verify-migration-status.php:179

shell_exec$taxonomy_calls = shell_exec( "grep -r \"wp_set_object_terms.*'cnvrse_status'\" {$plugin_dir} --inclprovision\migrations\verify-migration-status.php:184

SQL Query Safety

81% prepared218 total queries

Output Escaping

69% escaped432 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

<class-cnvrse-rest-api-manager> (src\Core\class-cnvrse-rest-api-manager.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Cnvrse Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_cnvrse_migration_progresssrc\migrations\class-cnvrse-migration-manager.php:67

authwp_ajax_cnvrse_dismiss_migration_noticesrc\migrations\class-cnvrse-migration-manager.php:70

WordPress Hooks 47

actioncnvrse_migrate_batchprovision\migrations\004-migrate-data.php:308

actionadmin_enqueue_scriptssrc\Actions\class-cnvrse-admin-hooks.php:53

actionadmin_initsrc\Actions\class-cnvrse-admin-hooks.php:54

filteradmin_body_classsrc\Actions\class-cnvrse-admin-hooks.php:55

actioninitsrc\Actions\class-cnvrse-conversation-hooks.php:54

actioninitsrc\Actions\class-cnvrse-conversation-hooks.php:55

actionbefore_delete_postsrc\Actions\class-cnvrse-conversation-hooks.php:58

filtermanage_cnvrsation_posts_columnssrc\Actions\class-cnvrse-conversation-hooks.php:61

actionmanage_cnvrsation_posts_custom_columnsrc\Actions\class-cnvrse-conversation-hooks.php:62

filtermanage_edit-cnvrsation_sortable_columnssrc\Actions\class-cnvrse-conversation-hooks.php:63

actioncnvrse_auto_close_conversationssrc\Actions\class-cnvrse-conversation-hooks.php:66

actioninitsrc\Actions\class-cnvrse-conversation-hooks.php:67

actioninitsrc\Actions\class-cnvrse-conversation-hooks.php:68

filtercron_schedulessrc\Actions\class-cnvrse-conversation-hooks.php:69

actioncnvrse_check_inactive_visitorssrc\Actions\class-cnvrse-conversation-hooks.php:70

actionwp_enqueue_scriptssrc\Actions\class-cnvrse-frontend-hooks.php:53

actionrest_api_initsrc\Actions\class-cnvrse-rest-api-hooks.php:62

actioninitsrc\bootstrap.php:225

actionplugins_loadedsrc\bootstrap.php:226

actionadmin_initsrc\bootstrap.php:227

filterrest_allowed_cors_headerssrc\bootstrap.php:228

filterallowed_http_originssrc\bootstrap.php:229

actioncnvrse_cleanup_transientssrc\bootstrap.php:230

actionplugins_loadedsrc\bootstrap.php:378

actionadmin_bar_menusrc\Infrastructure\AdminBar\class-cnvrse-admin-bar-menu.php:63

actionwp_enqueue_scriptssrc\Infrastructure\AdminBar\class-cnvrse-admin-bar-menu.php:64

actionadmin_enqueue_scriptssrc\Infrastructure\AdminBar\class-cnvrse-admin-bar-menu.php:65

actioninitsrc\Infrastructure\AdminBar\class-cnvrse-notification-center.php:75

actionshutdownsrc\Infrastructure\AdminBar\class-cnvrse-notification-center.php:76

actionrest_api_initsrc\Infrastructure\Http\class-cnvrse-cors-handler.php:33

actioninitsrc\Infrastructure\Http\class-cnvrse-cors-handler.php:34

actionadmin_initsrc\migrations\class-cnvrse-migration-manager.php:61

actionadmin_noticessrc\migrations\class-cnvrse-migration-manager.php:64

actioncnvrse_run_migration_batchsrc\migrations\class-cnvrse-migration-manager.php:73

actionadmin_menusrc\Navigation\class-cnvrse-admin-menu.php:67

actionadmin_menusrc\Navigation\class-cnvrse-admin-menu.php:69

actionadmin_menusrc\Navigation\class-cnvrse-admin-menu.php:71

actionload-toplevel_page_cnvrsesrc\Navigation\class-cnvrse-admin-menu.php:72

actionload-cnvrse_page_cnvrse-settingssrc\Navigation\class-cnvrse-admin-menu.php:73

filtercron_schedulessrc\signals\class-cnvrse-signals-scheduler.php:35

actioncnvrse_signals_heartbeatsrc\signals\class-cnvrse-signals-scheduler.php:36

actionadmin_initsrc\signals\class-cnvrse-signals-scheduler.php:37

actioncnvrse_signals_on_activationsrc\signals\class-cnvrse-signals-tracker.php:28

actioncnvrse_signals_on_deactivationsrc\signals\class-cnvrse-signals-tracker.php:29

actionadmin_initsrc\signals\class-cnvrse-signals.php:103

actioncnvrse_weekly_telemetrysrc\signals\class-cnvrse-signals.php:106

filtercron_schedulessrc\signals\class-cnvrse-signals.php:119

Scheduled Events 16

cnvrse_migrate_batch

cnvrse_auto_close_conversations

cnvrse_check_inactive_visitors

cnvrse_cleanup_transients

cnvrse_run_migration_batch

cnvrse_signals_heartbeat

cnvrse_weekly_telemetry

Maintenance & Trust

Cnvrse Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 2, 2026

PHP min version7.4

Downloads463

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Cnvrse Alternatives

LiveChat – Live Chat Plugin for WP Websites

wp-live-chat-software-for-wordpress

Best live chat and help desk plugin for WordPress websites. Add the LiveChat widget to engage visitors and provide real‑time customer support! 🚀

10K 2 CVEs

Lime Connect (formerly Userlike) – WordPress Live Chat plugin

userlike

100

Free live chat plugin to chat with the visitors of your website. Integrate a beautiful and fully customizable chat box. Hosted in Europe.

1K 1 CVE

Chat Bro Live Group Chat

chatbro

Chat Bro - live Chat for your website. Turns your Telegram Chat or VK Chat into Live Chat on your website. Allows your visitors to Chat in live group …

200 No CVEs

Chatlio Live Chat for Slack

chatlio

100

Chatlio lets you talk with your customers using Slack directly from your WordPress site.

200 No CVEs

EngageBay Live Chat Support

engagebay-livechat

100

Add real-time live chat support to your WordPress site with EngageBay. Connect instantly with visitors, boost engagement, and grow your business.

100 No CVEs

Developer Profile

Cnvrse Developer Profile

cnvrse

1 plugin · 0 total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Cnvrse

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cnvrse/assets/css/cnvrse-admin.css/wp-content/plugins/cnvrse/assets/js/cnvrse-admin-telegram.js/wp-content/plugins/cnvrse/assets/js/cnvrse-core.js/wp-content/plugins/cnvrse/assets/js/cnvrse-admin.js/wp-content/plugins/cnvrse/assets/css/cnvrse.css/wp-content/plugins/cnvrse/assets/js/cnvrse.js

Script Paths

/wp-content/plugins/cnvrse/assets/js/cnvrse-admin-telegram.js/wp-content/plugins/cnvrse/assets/js/cnvrse-core.js/wp-content/plugins/cnvrse/assets/js/cnvrse-admin.js/wp-content/plugins/cnvrse/assets/js/cnvrse.js

Version Parameters

cnvrse-admin.css?ver=cnvrse-admin-telegram.js?ver=cnvrse-core.js?ver=cnvrse-admin.js?ver=cnvrse.css?ver=cnvrse.js?ver=

HTML / DOM Fingerprints

CSS Classes

cnvrse-admin-pagecnvrse-chat-widgetcnvrse-chat-widget-init

HTML Comments

Data Attributes

data-cnvrse-widget-optionsdata-cnvrse-chat-id

JS Globals

cnvrseAdminParamscnvrseDashboardV2cnvrseChatWidgetConfig

REST Endpoints

/wp-json/cnvrse/v1/messages/wp-json/cnvrse/v1/settings

Shortcode Output

[cnvrse_chat]

FAQ