PatchSiren cyber security CVE debrief
CVE-2026-15291 themeatelier CVE debrief
The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure, allowing unauthenticated attackers to extract sensitive data. This CVE record was published on 2026-07-10T05:16:32.430Z. The vulnerability exists in all versions up to, and including, 3.1.3 via REST API endpoints. Affected users should update the plugin and review security measures.
- Vendor
- themeatelier
- Product
- ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
WordPress users and administrators who have installed the Chat Help – Click to Chat Button & Form plugin, especially those who have sensitive data such as customer information, should be aware of this vulnerability.
Technical summary
The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}. This is due to the plugin not performing any authentication and authorization checks. This makes it possible for unauthenticated attackers to extract sensitive data including customer names, email addresses, phone numbers, WhatsApp messages, complete geolocation data (IP addresses, city, country, ISP, coordinates), device fingerprinting information (browser, OS, screen resolution), and WordPress account credentials (user IDs, usernames, emails, names) for logged-in users who submit forms.
Defensive priority
High priority should be given to updating the Chat Help – Click to Chat Button & Form plugin to a version that fixes this vulnerability.
Recommended defensive actions
- Update the Chat Help – Click to Chat Button & Form plugin to the latest version.
- Review and restrict access to the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}.
- Implement additional security measures such as authentication and authorization checks for sensitive data.
- Monitor for suspicious activity and implement incident response plans.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. Further investigation is needed to determine the full scope and affected systems. Evidence is limited, and defenders should verify exposed systems and implement security measures. The plugin's lack of authentication and authorization checks enables the exposure. Additional security measures, such as authentication and authorization checks, are recommended.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:32.430Z and has not been modified since then. The NVD entry is currently 7.5 HIGH.