The AtomChat plugin for WordPress is vulnerable to a broken access control flaw that arises when security levels are incorrectly configured. Because the plugin does not correctly enforce authorization checks, a user who is not granted the appropriate role can potentially access privileged functions or view sensitive conversation data. The problem is categorized as CWE-862 and represents a risk of unauthorized data exposure or manipulation of chat content depending on the privileges the attacker can acquire.

The vulnerability afflicts the AtomChat plugin from Team AtomChat, version 1.1.7 and earlier, as documented in the CVE record. WordPress sites that have installed these plugin versions and have not applied any vendor-supplied remediation are affected.

The CVSS score of 4.3 indicates a medium severity, while the EPSS score of less than 1% suggests a low likelihood of broad exploitation. The vulnerability is not listed in the CISA KEV catalogue. The attack vector is not explicitly documented; based on the description, it is inferred that an attacker would need to leverage misconfigured access controls, potentially by interacting with the WordPress backend or gaining elevated permissions to the plugin. Even with a low EPSS, the flaw remains exploitable if an unauthorized user can attain the necessary privileges to bypass the broken checks.