The One to one user Chat by WPGuppy plugin contains a missing capability check on the /wp-json/guppylite/v2/channel-authorize REST endpoint. Because the endpoint accepts requests without verifying the user’s access rights, unauthenticated attackers can make HTTP calls to this endpoint and intercept private chat messages exchanged between site users. The flaw is categorized as CWE-306 (Missing Authorization for Functionality). A successful exploitation exposes confidential conversation data, potentially revealing personal identifiers or sensitive content, but it does not provide arbitrary code execution or direct control of the underlying WordPress system.

WordPress sites that have installed the One to one user Chat by WPGuppy plugin – any version up to and including 1.1.4 of the plugin. The affected vendor is amentotechpvtltd, and the issue is present in all installed copies of the plugin without an updated version.

The published CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of confirmed exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited over the network through the public REST endpoint, which is reachable via any user’s browser or by automated HTTP requests. Because no authentication or capability check is performed, any client with network access to the site can send a request to the endpoint and receive the contents of private chats. This risk is effectively mitigated by applying a patch that restores proper capability checks or by preventing the endpoint from being accessed by unauthenticated users.