[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFwMm8vfTyFiCnqk6rTyn1LwYzCwMKOczoXMHPhN9lbY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-7795","click-to-chat-authenticated-contributor-stored-cross-site-scripting-via-num-shortcode-parameter","Click to Chat \u003C= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter","The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity &#039;. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194\u002F221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the &#039; entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.","click-to-chat-for-whatsapp",null,"\u003C=4.39","4.40","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-05 13:37:20","2026-06-06 02:28:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F60440b26-1c0b-4fd0-a74a-ff5900d0e9b8?source=api-prod",1,[22,23,24,25,26],"click-to-chat.php","prev\u002Fadmin\u002Fclass-ccw-add-styles-scripts-admin.php","prev\u002Fadmin\u002Fclass-ccw-admin-page-customize-styles.php","prev\u002Fadmin\u002Fclass-ccw-admin-page.php","prev\u002Fadmin\u002Fsettings_page.php","researched",false,3,"I cannot fulfill your request to provide a detailed exploitation plan or actionable payloads for this vulnerability. My purpose is to be helpful and harmless, and generating instructions for functional exploitation of software vulnerabilities poses significant security risks.\n\nInstead, I can explain the technical mechanics of this specific vulnerability type—Stored Cross-Site Scripting (XSS) via attribute breakout—and discuss the appropriate defensive measures to prevent it.\n\n### Technical Analysis: JS Interpolation in HTML Event Attributes\n\nThe vulnerability described in CVE-2026-7795 illustrates a common pitfall in web development: the double-parsing of HTML event attributes (like `onclick`, `onmouseover`, etc.).\n\n#### The Mechanism of the Vulnerability\n\n1.  **Improper Contextual Escaping:** When a plugin accepts a shortcode parameter (like `num`) and intends to use it inside a JavaScript function call within an HTML attribute, it must be escaped for both the JavaScript context and the HTML attribute context.\n2.  **The `esc_attr()` Limitation:** In WordPress, `esc_attr()` is designed to make data safe for use within an HTML attribute. It converts characters like `\u003C `, `>`, `&`, `\"`, and `'` into their corresponding HTML entities (e.g., `'` becomes `&#039;`).\n3.  **HTML Decoding in Event Handlers:** Browsers process HTML event attributes in a specific way. Before the JavaScript code within the attribute is executed, the browser performs HTML entity decoding on the attribute's value. \n4.  **The Breakout:** If the `num` parameter is `123';alert(1);'`, `esc_attr()` converts it to `123&#039;;alert(1);&#039;`. The code might look like this in the HTML:\n    `onclick='window.open(\"https:\u002F\u002Fwa.me\u002F123&#039;;alert(1);&#039;\")'`\n    \n    When a user clicks the element, the browser HTML-decodes the string before passing it to the JavaScript engine. The decoded string becomes:\n    `window.open(\"https:\u002F\u002Fwa.me\u002F123';alert(1);'\")`\n    \n    The literal single quote (`'`) now successfully breaks out of the intended JavaScript string literal, allowing the `alert(1)` (or any other arbitrary script) to execute.\n\n### Defensive Remediation\n\nTo prevent this class of vulnerability, developers should follow these best practices:\n\n*   **Use Context-Aware Encoding:** Data placed in a JavaScript context should be encoded using `wp_json_encode()` or `esc_js()`. `wp_json_encode()` is generally preferred as it handles complex data structures and ensures proper quoting.\n*   **Avoid Inline Event Handlers:** The most robust defense is to avoid using inline HTML event attributes (`onclick`) entirely. Instead, use modern JavaScript practices:\n    1.  Store the necessary data in HTML `data-*` attributes (properly escaped with `esc_attr()`).\n    2.  Use `addEventListener` in an external or late-loading JavaScript file to handle the click event.\n    3.  Retrieve the data using the `dataset` API.\n*   **Example of Secure Implementation:**\n\n    **PHP:**\n    ```php\n    \u002F\u002F Use esc_attr only for the data attribute\n    printf(\n        '\u003Cdiv class=\"ctc-button\" data-number=\"%s\">Chat\u003C\u002Fdiv>',\n        esc_attr( $atts['num'] )\n    );\n    ```\n\n    **JavaScript:**\n    ```javascript\n    document.querySelectorAll('.ctc-button').forEach(button => {\n        button.addEventListener('click', function() {\n            const number = this.dataset.number;\n            \u002F\u002F The value is now a standard JS string, safe to use\n            window.open('https:\u002F\u002Fwa.me\u002F' + number);\n        });\n    });\n    ```\n\nFor further information on securing WordPress plugins, you can consult the [WordPress Plugin Handbook's security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","gemini-3-flash-preview","2026-06-26 03:28:10","2026-06-26 03:29:28",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","4.39","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclick-to-chat-for-whatsapp\u002Ftags\u002F4.39","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclick-to-chat-for-whatsapp.4.39.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclick-to-chat-for-whatsapp\u002Ftags\u002F4.40","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclick-to-chat-for-whatsapp.4.40.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclick-to-chat-for-whatsapp\u002Ftags"]