Description
Missing Authorization vulnerability in alexvtn Chatbox Manager wa-chatbox-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chatbox Manager: from n/a through <= 1.2.5.
Published: 2025-07-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vendor Chatbox Manager plugin contains a missing authorization flaw that permits users to bypass access controls when interacting with the plugin’s administrative interfaces. This broken access control can allow an attacker to modify plug‑in settings, inject content, or otherwise manipulate the WordPress site without proper privileges, matching CWE‑862. The vulnerability is present in all releases up to version 1.2.5 and does not affect later versions.

Affected Systems

The flaw specifically targets the alexvtn Chatbox Manager WordPress plugin version 1.2.5 and earlier. Any site that has installed this plugin and has it active, especially with user roles that have elevated permissions such as Editors or Contributors, may be vulnerable. No other products or vendors are listed.

Risk and Exploitability

The CVSS score of 5.4 classifies the issue as a moderate risk. The EPSS score is below 1 %, indicating a low likelihood of mass exploitation at present, and the vulnerability is not in CISA’s KEV catalog. Attackers would target the plugin’s administrative endpoints, and while the flaw does not allow arbitrary code execution, it provides a non‑trivial privilege escalation path for anyone who can reach those interfaces. The impact could compromise site configuration and displayed content.

Generated by OpenCVE AI on April 30, 2026 at 09:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chatbox Manager to the latest stable release beyond version 1.2.5.
  • If an upgrade is not immediately possible, deactivate the plugin until a patch is applied or restrict its access by removing active user roles from the plugin’s settings page.
  • Validate that WordPress user roles enforce proper capability checks; restrict installation of the plugin to administrators only.
  • Monitor site logs for unexpected access to the plugin’s administration pages.

Generated by OpenCVE AI on April 30, 2026 at 09:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21652 Missing Authorization vulnerability in alexvtn Chatbox Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Chatbox Manager: from n/a through 1.2.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in alexvtn Chatbox Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Chatbox Manager: from n/a through 1.2.5. Missing Authorization vulnerability in alexvtn Chatbox Manager wa-chatbox-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chatbox Manager: from n/a through <= 1.2.5.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Wed, 16 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00027}

Wed, 16 Jul 2025 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in alexvtn Chatbox Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Chatbox Manager: from n/a through 1.2.5.
Title WordPress Chatbox Manager plugin <= 1.2.5 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:53.306Z

Reserved: 2025-05-15T18:02:16.098Z

Link: CVE-2025-48167

cve-icon Vulnrichment

Updated: 2025-07-16T14:28:26.426Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T11:15:25.193

Modified: 2026-04-23T15:30:55.240

Link: CVE-2025-48167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:45:25Z

Weaknesses