Description
The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options, including critical settings such as API keys, authentication keys, and layout configurations.
Published: 2026-03-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of plugin settings, including API and authentication keys
Action: Patch
AI Analysis

Impact

The AtomChat Group Chat & Video Chat plugin for WordPress allows authenticated users with Subscriber-level access or higher to modify plugin options via the atomchat_update_auth_ajax and atomchat_update_layout_ajax AJAX handlers. The vulnerability results from a missing capability check, enabling unauthorized modification of critical settings such as API keys, authentication credentials, and layout configurations. This capability can compromise the confidentiality of credentials, alter user experience, and potentially create a foothold for further attacks.

Affected Systems

WordPress sites that have installed the AtomChat Group Chat & Video Chat plugin version 1.1.7 or any earlier release are affected. The issue applies to all versions up to and including 1.1.7, regardless of other plugin or theme components. Sites running newer releases beyond 1.1.7 are presumed to have the fix.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score below 1% suggests a low probability of exploitation. Because the attacker only needs an authenticated Subscriber account—a role commonly granted— the potential for exploitation exists on sites with vulnerable users. No publicly known exploits are reported, and the vulnerability is not listed in CISA's KEV catalog, but the limitations in authorization still require timely remediation to avoid configuration tampering.

Generated by OpenCVE AI on April 8, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AtomChat plugin to the latest available release.
  • Restrict the capabilities of the Subscriber role to prevent access to the vulnerable AJAX endpoints, or use a security plugin to block those endpoints.
  • If the AtomChat plugin is not essential, deactivate or delete it entirely.
  • Monitor the plugin configuration for unexpected changes and review site logs for unauthorized activity.

Generated by OpenCVE AI on April 8, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Atomchat
Atomchat group Chat & Video Chat By Atomchat
Wordpress
Wordpress wordpress
Vendors & Products Atomchat
Atomchat group Chat & Video Chat By Atomchat
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options, including critical settings such as API keys, authentication keys, and layout configurations.
Title Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Atomchat Group Chat & Video Chat By Atomchat
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:32.831Z

Reserved: 2026-01-20T19:26:11.841Z

Link: CVE-2026-1253

cve-icon Vulnrichment

Updated: 2026-03-23T17:18:06.920Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:16:52.063

Modified: 2026-04-08T18:25:43.920

Link: CVE-2026-1253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:22Z

Weaknesses