CVE-2026-39696

The Elfsight WhatsApp Chat CC plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. This issue affects versions from n/a through 1.2.0. The vulnerability arises because the plugin fails to properly sanitize user-supplied input before embedding it in the DOM, allowing an attacker to inject arbitrary JavaScript code [1].

Exploitation requires user interaction, specifically a privileged user (e.g., an admin) to click a malicious link, visit a crafted page, or submit a specially crafted form. Once the privileged user performs this action, the injected script executes in the context of their browser, but the malicious payload can then affect all visitors to the site [1].

Successful exploitation allows an attacker to inject malicious scripts that can redirect visitors, display advertisements, alter page content, or perform other actions. This can lead to defacement, credential theft, or further compromise of the WordPress site. The vulnerability has been used in mass-exploit campaigns targeting websites regardless of size or popularity [1].

Users are strongly advised to update the plugin to the latest version as soon as possible. If an update is not available or cannot be applied, consulting with a hosting provider or web developer for mitigation measures is recommended [1].