The vulnerability is a missing Authorization flaw in the ThemeAtelier Chat Help plugin for WordPress that allows attackers to bypass intended security levels and gain unauthorized access to plugin data or functions. This issue is classified as CWE‑862, meaning the plugin fails to enforce proper access control. Because the flaw is present in all releases up to 3.1.3, any site that has installed a vulnerable version could potentially expose chat information or administrative capabilities to an attacker. The CVSS score of 5.3 reflects a moderate severity for potential data exposure or modification. WordPress installations that have installed the ThemeAtelier Chat Help plugin version 3.1.3 or older are affected, regardless of other plugins or themes. The issue is limited to the plugin; the core WordPress platform itself is not directly impacted. The CVSS base score of 5.3 and an EPSS score of less than 1 % indicate that the likelihood of exploitation is presently low and the vulnerability has not been reported in the CISA KEV catalog. However, the flaw can be triggered by any user who can submit requests to the plugin’s endpoints, especially if the site owner has configured the plugin for low or no authentication. Attackers may therefore use simple crafted HTTP requests to the plugin’s back‑end APIs in order to retrieve or modify chat logs if the plugin’s access levels are misconfigured.

ThemeAtelier Chat Help plugin for WordPress, versions up to and including 3.1.3. This includes all WordPress sites that have installed these vulnerable plugin versions. No other vendor or product is mentioned as affected.

The vulnerability is rated with a CVSS of 5.3, suggesting a moderate risk. The EPSS score indicates a very low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog, meaning no confirmed exploit has been documented publicly. The likely attack vector is through unauthenticated or low‑privileged users sending crafted HTTP requests to the plugin’s API endpoints, owing to the missing enforcement of access control. Attackers could potentially read or modify chat data, depending on the configuration of the plugin. Because the flaw is tied to the plugin’s configuration rather than an arbitrary codepath, remediation does not require changing WordPress core. The risk is higher in environments where the plugin’s access settings are weak or where the plugin is exposed to the internet without additional restrictions.