Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons Security & Risk Analysis

wordpress.org/plugins/sticky-chat-widget

Social chat buttons with WhatsApp, Messenger, WeChat, Telegram, Instagram, TikTok, Zalo & more — plus SMS, Call button, Contact form, and 20+ icons.

10K active installs v1.4.0 PHP 5.4+ WP 5.0+ Updated Dec 3, 2025

chat-buttonchat-widgetcontact-formfacebook-messengerwhatsapp-widget

A · Safe

CVEs total1

Unpatched0

Last CVEDec 26, 2023

Download

Safety Verdict

Is Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons Safe to Use in 2026?

Generally Safe

Score 100/100

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 26, 2023Updated 4mo ago

Risk Assessment

The "sticky-chat-widget" plugin version 1.4.0 presents a mixed security posture with some good practices but also a notable concern regarding its attack surface. The plugin generally demonstrates strong output escaping (99%) and a good usage of prepared statements for SQL queries (75%), which are positive indicators of secure coding. The presence of numerous nonce checks (16) and capability checks (1) also suggests an awareness of WordPress security mechanisms. However, the analysis reveals a significant concern with 1 out of 14 AJAX handlers lacking authentication checks. This unprotected entry point is a prime target for attackers and could lead to unauthorized actions if not properly secured.

The vulnerability history shows a past medium-severity Cross-site Scripting (XSS) vulnerability, last patched in December 2023. While there are no currently unpatched CVEs, this history indicates that the plugin has had security flaws in the past, reinforcing the need for careful scrutiny. The static analysis did not reveal any critical or high-severity taint flows, which is reassuring, but the single unprotected AJAX handler remains a critical weakness. The overall conclusion is that while the plugin employs several good security practices, the identified unprotected AJAX handler significantly elevates the risk and warrants immediate attention and mitigation.

Key Concerns

Unprotected AJAX handler found
Past medium severity XSS vulnerability

Vulnerabilities

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2023-51361medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sticky Chat Widget <= 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 26, 2023 Patched in 1.1.9 (28d)

Code Analysis

Analyzed Mar 16, 2026

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons Code Analysis

Dangerous Functions

Raw SQL Queries

9 prepared

Unescaped Output

1249 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQuery

SQL Query Safety

75% prepared12 total queries

Output Escaping

99% escaped1268 total outputs

Attack Surface

1 unprotected

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons Attack Surface

Entry Points14

Unprotected1

AJAX Handlers 14

authwp_ajax_contact_ginger_form_scwadmin\admin-common.php:83

authwp_ajax_save_gsb_buttons_settingadmin\admin.php:41

authwp_ajax_gsb_buttons_change_statusadmin\admin.php:44

authwp_ajax_gsb_buttons_remove_widgetadmin\admin.php:47

authwp_ajax_get_gb_settingsadmin\admin.php:53

authwp_ajax_scw_save_sign_up_infoadmin\admin.php:62

authwp_ajax_gsb_buttons_create_widgetadmin\admin.php:74

authwp_ajax_gsb_buttons_rename_widgetadmin\admin.php:77

authwp_ajax_scw_leads_download_csvadmin\admin.php:80

authwp_ajax_gsb_buttons_remove_leadsadmin\admin.php:83

authwp_ajax_gsb_buttons_remove_all_leadsadmin\admin.php:86

authwp_ajax_gsb_buttons_remove_single_leadadmin\admin.php:89

authwp_ajax_scw_save_form_dataincludes\front-end.php:57

noprivwp_ajax_scw_save_form_dataincludes\front-end.php:60

WordPress Hooks 17

actionadmin_enqueue_scriptsadmin\admin-common.php:72

actionadmin_menuadmin\admin-common.php:75

actionadmin_headadmin\admin-common.php:77

actionin_admin_headeradmin\admin-common.php:91

actionadmin_footeradmin\admin-common.php:94

actionadmin_noticesadmin\admin-common.php:202

actionadmin_enqueue_scriptsadmin\admin.php:32

actioninitadmin\admin.php:35

actionadmin_initadmin\admin.php:38

actionadmin_menuadmin\admin.php:50

actionplugins_loadedadmin\admin.php:59

actionclear_cache_for_scw_pluginadmin\admin.php:65

actionupgrader_process_completeadmin\admin.php:68

actionplugins_loadedadmin\admin.php:71

actionactivated_pluginadmin\admin.php:91

actionwp_enqueue_scriptsincludes\front-end.php:54

actionactivated_pluginindex.php:61

Maintenance & Trust

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 3, 2025

PHP min version5.4

Downloads86K

Community Trust

Rating100/100

Number of ratings37

Active installs10K

Alternatives

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons Alternatives

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty

chaty

WhatsApp chat, Facebook Messenger, Telegram, TikTok, Instagram, Email, Line, WeChat Phone call, SMS, 20+ live chat icons & WhatsApp chat pop up 💬

400K 11 CVEs

All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements

mystickyelements

Get leads with a floating contact form tab, chat & social buttons like Facebook Messenger, WhatsApp, Viber, Telegram, Twitter, Instagram & more 🎉

40K 6 CVEs

Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist

bit-assist

Floating sticky chat button for WhatsApp Chat, Facebook Messenger, Telegram, Instagram, SMS, Call, Discord chat, TikTok, Line & 30+ channels

10K 7 CVEs

Call Now and Chat Buttons

call-now-and-chat-buttons

Add instant "Call Now" and "Chat" buttons to your website, allowing visitors to seamlessly contact you with a single click.

6K No CVEs

Boei – Chat Widget & AI Chatbot with 50+ Channels

boei-help

100

Capture every lead. Reply instantly. Close more deals. AI chatbot, 50+ contact channels, single inbox, and lead tracking—all in one WordPress plugin.

1K No CVEs

Developer Profile

Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons Developer Profile

gingerplugins

3 plugins · 10K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

28 days

View full developer profile

Detection Fingerprints

How We Detect Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sticky-chat-widget/assets/css/style.css/wp-content/plugins/sticky-chat-widget/assets/js/main.js/wp-content/plugins/sticky-chat-widget/assets/js/frontend.js/wp-content/plugins/sticky-chat-widget/assets/images/chat-icon.png

Script Paths

/wp-content/plugins/sticky-chat-widget/assets/js/main.js/wp-content/plugins/sticky-chat-widget/assets/js/frontend.js

Version Parameters

sticky-chat-widget/assets/css/style.css?ver=sticky-chat-widget/assets/js/main.js?ver=sticky-chat-widget/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

gs-icon-wrappergs-widget-close-btngs-chat-widget

HTML Comments

Data Attributes

data-iddata-nonce

JS Globals

GSB_PLUGIN_URLGSB_PLUGIN_VERSIONGSB_PLUGIN_BASEGSB_DEV_VERSION

FAQ