The Kommo Website Chat Button: Kommo integration plugin for WordPress contains a missing authorization flaw that lets an attacker bypass the site's configured security levels. The weakness, categorized as CWE‑862, can enable unauthorized users to execute privileged actions within the plugin or gain access to sensitive data handled by the chat button. Although the flaw does not provide remote code execution or privilege escalation beyond the plugin’s scope, it can still expose or overwrite data if the plugin processes sensitive information. The likely attack vector is through authenticated access to the plugin’s administrative interface or any exposed endpoints that incorrectly enforce security levels, assuming the attacker can obtain or forge the appropriate credentials or convince a user to trigger the chat function.

The vulnerability affects the Kommo Website Chat Button: Kommo integration plugin for WordPress. Versions from the earliest available releases up to and including 1.3.1 are vulnerable. Sites using any impacted version should consider this a critical operational weakness.

The CVSS score of 4.3 indicates medium severity, largely because the impact is confined to the plugin and requires either local or authenticated access. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. An attacker who can authenticate with a user role that has access to the plugin’s settings or endpoints could exploit the flaw to perform unauthorized actions within the chat interface, potentially affecting data confidentiality and integrity. The risk remains modest but warrants timely remediation.