WP Click to Chat – Email, Live Chat, Call & Book Now Buttons Security & Risk Analysis

The "support-chat" plugin v2.3.6 demonstrates generally good security practices, with all identified entry points having authorization checks, no dangerous functions used, and all SQL queries employing prepared statements. The plugin also shows a strong adherence to output escaping, with 87% of outputs properly sanitized, and all four AJAX handlers include nonce checks. Taint analysis did not reveal any critical or high-severity vulnerabilities related to unsanitized data flow.

Despite these strengths, the plugin has a history of two medium-severity vulnerabilities, both related to Cross-Site Scripting (XSS). The fact that the last vulnerability was dated March 27, 2025, and is currently unpatched is a significant concern, indicating a potential for recurring XSS issues or a lack of recent security maintenance. While the static analysis shows no immediate critical flaws, the historical trend of XSS vulnerabilities, coupled with the unpatched medium-severity issue, suggests a need for vigilance and further investigation into the root causes of these past issues.

In conclusion, while the current version of "support-chat" exhibits a solid foundation in secure coding practices, the historical context of medium-severity XSS vulnerabilities and the existence of an unpatched issue necessitate a cautious approach. The plugin's strengths lie in its robust handling of SQL and input validation at the entry points. However, the recurring nature of XSS and the unpatched vulnerability are significant weaknesses that could be exploited if not addressed.