The vulnerability is a missing authorization flaw that lets attackers exploit incorrectly configured access control settings in the Chatwee Chat by Chatwee plugin. This flaw can lead to unauthorized actions such as reading or manipulating chat content, and the description does not explicitly mention privilege escalation, but it is inferred that if higher‑privilege users exist, the attacker might elevate privileges through the chat feature. The weakness is classified as CWE‑862, indicating unauthorized access due to missing permissions checks.

The affected product is Chatwee’s Chat by Chatwee plugin for WordPress, with all releases from the initial release through version 2.1.3 affected. Administrators should verify the installed plugin version and upgrade if within this range.

The CVSS score of 4.3 signifies a low to moderate severity impact, and the EPSS score of < 1% indicates an exceptionally low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting it is not a known or actively exploited vulnerability. The likely attack surface is the WordPress administrative interface or the plugin’s exposed endpoints, where an attacker may leverage existing user credentials or social engineering to interact with chat data. Based on the description, it is inferred that the attacker could use authenticated or unauthenticated methods depending on the plugin configuration, and that the attack vector is a web-based interface.