Vendor
Unauthenticated attackers can exploit CVE-2026-15291, a vulnerability in the Chat Help - Click to Chat Button & Form WordPress plugin (versions up to and including 3.1.3), due to a lack of authentication and authorization checks on specific REST API endpoints (/wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}), allowing them to extract sensitive user data, including names, email addresses, phone numbers, WhatsApp messages, complete geolocation data, device fingerprinting, and WordPress account credentials for logged-in users who submitted forms.