Description
The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Published: 2025-04-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The Xelion Webchat plugin for WordPress contains a missing capability check in the xwc_save_settings() function that allows any authenticated user with Subscriber or higher privileges to modify arbitrary options on the site. This flaw can lead to privilege escalation, for example by changing the default role for registration to administrator or enabling user registration for attackers to create new administrator accounts. The weakness is categorized as CWE‑862, indicating an inadequate authorization check.

Affected Systems

WordPress sites using the Xelion Webchat plugin version 9.1.0 or earlier are affected. All installations of the plugin within this version range must be reviewed for potential exploitation.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, reflecting a high severity, yet the EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires legitimate authentication, typically by a Subscriber or higher, and operates via the Ajax admin endpoint that should have a capability check. Once exploited, an attacker can alter critical site options and gain administrator-level access, posing a significant confidentiality, integrity, and availability risk if left unpatched.

Generated by OpenCVE AI on April 22, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Xelion Webchat plugin to a version newer than 9.1.0 to ensure the missing capability check is fixed.
  • If an upgrade is not immediately possible, restrict user registration settings and set the default role for new users to a non‑admin role to mitigate the impact of option changes.
  • Consider hardening the AJAX admin endpoint by enforcing stricter capability checks or disabling subscriber-level access to the endpoint until a proper fix is applied.

Generated by OpenCVE AI on April 22, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12134 The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Title Xelion Webchat <= 9.1.0 - Authenticated (Subscriber+) Arbitrary Options Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:20.190Z

Reserved: 2025-03-31T22:16:07.422Z

Link: CVE-2025-3058

cve-icon Vulnrichment

Updated: 2025-04-24T13:48:18.037Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T09:15:30.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses