WP-Safety

Jheck Chat Security & Risk Analysis

wordpress.org/plugins/jheck-chat

Simple worpdress chat plugin using ajax.

10 active installs v1.4 PHP + WP 3.3+ Updated Mar 11, 2016
ajax-chatchatchattingfree-chatlive-chat
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Jheck Chat Safe to Use in 2026?

Generally Safe

Score 85/100

Jheck Chat has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The jheck-chat plugin v1.4 presents a concerning security posture due to significant weaknesses identified in its static analysis. A prominent issue is the presence of an unprotected AJAX handler, creating a direct entry point for potential attacks without proper authentication or authorization. The plugin also exhibits poor data handling practices, with all SQL queries being executed without prepared statements, increasing the risk of SQL injection vulnerabilities. Furthermore, the extremely low percentage of properly escaped output (3%) suggests a high likelihood of Cross-Site Scripting (XSS) vulnerabilities across numerous output points. The taint analysis confirms these concerns, revealing two high-severity flows with unsanitized paths, which are critical indicators of exploitable vulnerabilities. While the plugin has no recorded vulnerability history (CVEs), this absence does not negate the evident risks identified within the code itself. The plugin demonstrates some good practices by including nonce and capability checks in several places, and utilizing Select2, but these are overshadowed by the critical lack of input validation and secure coding practices in key areas.

Key Concerns

  • Unprotected AJAX handler
  • SQL queries without prepared statements
  • Low percentage of properly escaped output
  • High severity taint flows with unsanitized paths
  • Use of create_function (deprecated and dangerous)
Vulnerabilities
None known

Jheck Chat Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Jheck Chat Code Analysis

Dangerous Functions
1
Raw SQL Queries
9
0 prepared
Unescaped Output
195
7 escaped
Nonce Checks
4
Capability Checks
8
File Operations
7
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

create_functionadd_filter( 'wp_default_editor', create_function('', 'return "tinymce";') );vafpress\bootstrap.php:195

Bundled Libraries

Select2

SQL Query Safety

0% prepared9 total queries

Output Escaping

3% escaped202 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
vp_ajax_wrapper (vafpress\bootstrap.php:75)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Jheck Chat Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_vp_ajax_wrappervafpress\bootstrap.php:71

Shortcodes 1

[jheck_chat] inc\shortcodes\s_jcform.php:18
WordPress Hooks 32
actioninitjheck-chat.php:74
actionwp_enqueue_scriptsjheck-chat.php:75
actionwp_loadedjheck-chat.php:76
actionwp_footerjheck-chat.php:82
actionafter_setup_themevafpress\bootstrap.php:41
actiontgmpa_registervafpress\bootstrap.php:47
actioninitvafpress\bootstrap.php:112
actioncurrent_screenvafpress\bootstrap.php:113
actionadmin_enqueue_scriptsvafpress\bootstrap.php:114
actioncurrent_screenvafpress\bootstrap.php:115
filterclean_urlvafpress\bootstrap.php:116
actionadmin_footervafpress\bootstrap.php:161
filterwp_default_editorvafpress\bootstrap.php:195
actioninitvafpress\classes\metabox.php:43
actionvp_option_first_activationvafpress\classes\option.php:81
actionadmin_menuvafpress\classes\option.php:100
actionadmin_noticesvafpress\classes\option.php:162
actioncurrent_screenvafpress\classes\shortcodegenerator.php:47
actionadmin_footervafpress\classes\shortcodegenerator.php:58
filtermce_external_pluginsvafpress\classes\shortcodegenerator.php:288
filtermce_buttonsvafpress\classes\shortcodegenerator.php:289
filterwp_fullscreen_buttonsvafpress\classes\shortcodegenerator.php:290
filteradmin_print_stylesvafpress\classes\shortcodegenerator.php:291
actionadmin_enqueue_scriptsvafpress\classes\wp\enqueuer.php:27
actionadmin_headvafpress\includes\wpalchemy\MetaBox.php:22
actionadmin_footervafpress\includes\wpalchemy\MetaBox.php:24
actionadmin_initvafpress\includes\wpalchemy\MetaBox.php:506
actionimport_post_metavafpress\includes\wpalchemy\MetaBox.php:509
filteroutputvafpress\includes\wpalchemy\MetaBox.php:569
actionsave_postvafpress\includes\wpalchemy\MetaBox.php:579
actionadmin_headvafpress\includes\wpalchemy\MetaBox.php:619
actionadmin_footervafpress\includes\wpalchemy\MetaBox.php:621
Maintenance & Trust

Jheck Chat Maintenance & Trust

Maintenance Signals

WordPress version tested4.4.34
Last updatedMar 11, 2016
PHP min version
Downloads7K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Jheck Chat Alternatives

ChatSupport

ChatSupport

chatsupport

A
85

The ChatSupport plugin enables you to easily add a live chat widget to your WordPress site and start providing support to your web visitors.

60 No CVEs
BigRadar – Free Chatbot, Live Chat, Email Marketing

BigRadar – Free Chatbot, Live Chat, Email Marketing

bigradar

A
85

BigRadar is a free chat software used by 1000s of businesses worldwide to increase sales, conversions and better support in real-time from anywhere.

0 No CVEs
Joleado Live Chat Software

Joleado Live Chat Software

joleado-chat

A
85

Requires at least: 3.7 Tested up to: 4.9.x Stable tag: 18.9.3 Version: 18.9.3 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.

0 No CVEs
HubSpot All-In-One Marketing – Forms, Popups, Live Chat

HubSpot All-In-One Marketing – Forms, Popups, Live Chat

leadin

A
98

The CRM, Sales, and Marketing WordPress plugin to grow your business better. Capture and engage web visitors with free live chat, forms, CRM, email ma …

200K 2 CVEs
Tawk.To Live Chat

Tawk.To Live Chat

tawkto-live-chat

A
99

(OFFICIAL tawk.to plugin) Instantly chat with visitors on your website with the free tawk.to chat widget. Website: http://tawk.to

100K 1 CVE
Developer Profile

Jheck Chat Developer Profile

Jeric

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Jheck Chat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/jheck-chat/sources/css/style.css/wp-content/plugins/jheck-chat/sources/font-awesome/css/font-awesome.min.css/wp-content/plugins/jheck-chat/template/default/jc_template-style.css/wp-content/plugins/jheck-chat/sources/css/custom-style.css/wp-content/plugins/jheck-chat/sources/js/custom-scripts.js/wp-content/plugins/jheck-chat/template/default/jc_template-script.js
Script Paths
/wp-content/plugins/jheck-chat/sources/js/custom-scripts.js/wp-content/plugins/jheck-chat/template/default/jc_template-script.js
Version Parameters
jheck-chat/style.css?ver=jheck-chat/font-awesome/css/font-awesome.min.css?ver=jheck-chat/template/default/jc_template-style.css?ver=jheck-chat/sources/css/custom-style.css?ver=jheck-chat/sources/js/custom-scripts.js?ver=20141105jheck-chat/template/default/jc_template-script.js?ver=20141105

HTML / DOM Fingerprints

JS Globals
JC_URLJC_URL_PATHJC_MYSQL_INBOXJC_ENCRYPTION_KEYJC_TEMPLATE_NAME
FAQ

Frequently Asked Questions about Jheck Chat