Missing authorization in the Better Chat Support for Messenger plugin allows an attacker to access or manipulate functionality that should be restricted to privileged users, potentially exposing sensitive data or enabling further malicious activity. The flaw arises from incorrectly configured access control security levels in versions up to 1.2.18, as noted in the vendor description. The vulnerability gives an attacker the ability to perform actions that normally require higher permissions, thereby compromising the confidentiality, integrity, or availability of the underlying WordPress site data.

The issue affects WordPress sites that have installed ThemeAtelier Better Chat Support for Messenger plugin version 1.2.18 or earlier. Only these versions are impacted; newer releases are not listed as vulnerable.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves sending crafted requests to the plugin’s admin or AJAX endpoints without proper authorization checks. An attacker may not need elevated privileges to exploit the flaw, making it potentially accessible to unauthenticated users who can identify vulnerable endpoints. Mitigating this risk requires applying official patch updates or implementing workaround controls as outlined below.