The vulnerability in the AhaChat Messenger Marketing plugin for WordPress allows an attacker to bypass authentication by using an alternate path or channel. This flaw permits password recovery exploitation, enabling an adversary to reset or retrieve credentials without legitimate authorization. The weakness stems from improper authentication controls (CWE-288), which undermine account security and can lead to unauthorized data access or modification.

All installations of the WordPress AhaChat Messenger Marketing plugin version 1.1 or earlier (the range is defined as from n/a through <= 1.1) are susceptible. The plugin is distributed as a WordPress add‑on, so any site that has deployed it before the fix is at risk. The vulnerability is tied specifically to the password recovery mechanism embedded in the plugin.

The CVSS score of 6.5 signals a moderate severity, and the EPSS score of less than 1% indicates that historic exploitation probability is low, though it is not zero. The plugin is not listed in CISA’s KEV catalog, meaning no publicly confirmed exploit has been documented. The most probable attack vector is a web‑based exploitation of the password recovery endpoint; we infer that the alternate path involves the plugin’s custom reset route. Attacking this would likely require only a pre‑determined URL and possibly minimal user interaction. Given the low EPSS and absence from KEV, the current risk is moderate, but operators should remain vigilant to detect new exploit attempts.