Description
The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.
Published: 2025-11-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized plugin settings reset
Action: Apply patch
AI Analysis

Impact

The WSChat – WordPress Live Chat plugin has a missing capability check on the 'reset_settings' AJAX endpoint in all releases up to 3.1.6. This allows any authenticated user with Subscriber level or higher to reset the plugin’s configuration, disrupting chat availability and any services that depend on the live chat integration. The vulnerability is a classic privilege‑escalation problem, identified as CWE-862, where insufficient authorization checks permit unauthorized state changes.

Affected Systems

All WordPress installations that have the WSChat – WordPress Live Chat plugin installed and running version 3.1.6 or earlier. The flaw is independent of the underlying operating system or theme and targets only the plugin code.

Risk and Exploitability

The CVSS score of 4.3 classifies the issue as low severity, while the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Because the flaw requires an authenticated user with Subscriber‑level or higher access, the attack vector is login‑based; an attacker can trigger the vulnerable AJAX endpoint via a direct web request or through the admin panel. The impact is limited to configuration changes, but it can still cause service disruption if the chat is a critical component of the site.

Generated by OpenCVE AI on April 28, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the newest version of WSChat in which the missing capability check has been restored, ensuring that only administrators can access the 'reset_settings' endpoint.
  • If an update cannot be applied immediately, remove the 'reset_settings' capability from roles other than Administrator. This can be done with a role‑management plugin or by adding a custom code snippet that deregisters the AJAX action for non‑administrative users.
  • As a temporary safeguard, monitor the plugin configuration for unexpected changes, keep a backup of the settings, and consider disabling the chat feature or the entire plugin until a patched version is available.

Generated by OpenCVE AI on April 28, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 20 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elextensions
Elextensions wschat
Wordpress
Wordpress wordpress
Vendors & Products Elextensions
Elextensions wschat
Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 06:00:00 +0000

Type Values Removed Values Added
Description The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.
Title WSChat – WordPress Live Chat <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elextensions Wschat
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:57.099Z

Reserved: 2025-11-05T15:05:39.124Z

Link: CVE-2025-12751

cve-icon Vulnrichment

Updated: 2025-11-19T20:17:47.350Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T06:15:46.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses