Missing authorization in the Chatbox Manager plugin allows users to exploit functionality that is not properly protected by access‑control lists. The vulnerability permits an attacker to invoke privileged operations such as creating, editing, or deleting chat widgets, changing configuration settings, or retrieving stored messages. Because the plugin runs within a WordPress site, successful exploitation could lead to data confidentiality breaches, integrity violations, and potentially elevate control over the site’s administrative interface.

The flaw affects the alexvtn Chatbox Manager WordPress plugin on all installations from the earliest release through version 1.2.2. Any WordPress site that has this plugin enabled and has a user role capable of interacting with the plugin’s endpoints is at risk.

The CVSS score of 5.3 denotes moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attacks would most likely be carried out by sending crafted HTTP requests to the plugin’s privileged endpoints, potentially using an existing user session or by discovering publicly accessible URLs. The lack of strict ACL checks means that anyone who can reach the endpoint could gain unauthorized control, making the vulnerability particularly concerning for sites with exposed or weak credentials.