PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15291 themeatelier CVE debrief

The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure, allowing unauthenticated attackers to extract sensitive data. This CVE record was published on 2026-07-10T05:16:32.430Z. The vulnerability exists in all versions up to, and including, 3.1.3 via REST API endpoints. Affected users should update the plugin and review security measures.

Vendor
themeatelier
Product
ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

WordPress users and administrators who have installed the Chat Help – Click to Chat Button & Form plugin, especially those who have sensitive data such as customer information, should be aware of this vulnerability.

Technical summary

The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}. This is due to the plugin not performing any authentication and authorization checks. This makes it possible for unauthenticated attackers to extract sensitive data including customer names, email addresses, phone numbers, WhatsApp messages, complete geolocation data (IP addresses, city, country, ISP, coordinates), device fingerprinting information (browser, OS, screen resolution), and WordPress account credentials (user IDs, usernames, emails, names) for logged-in users who submit forms.

Defensive priority

High priority should be given to updating the Chat Help – Click to Chat Button & Form plugin to a version that fixes this vulnerability.

Recommended defensive actions

  • Update the Chat Help – Click to Chat Button & Form plugin to the latest version.
  • Review and restrict access to the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}.
  • Implement additional security measures such as authentication and authorization checks for sensitive data.
  • Monitor for suspicious activity and implement incident response plans.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Further investigation is needed to determine the full scope and affected systems. Evidence is limited, and defenders should verify exposed systems and implement security measures. The plugin's lack of authentication and authorization checks enables the exposure. Additional security measures, such as authentication and authorization checks, are recommended.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:32.430Z and has not been modified since then. The NVD entry is currently 7.5 HIGH.