Impact
The vulnerability causes subscriber sensitive data to be exposed by the Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons plugin in WordPress versions up to 1.4.8. This flaw allows an attacker to read data that should remain confidential, compromising privacy of subscriber information. The weakness is an instance of CWE‑201, which highlights improper protection of data during transmission or storage.
Affected Systems
WordPress sites that have installed the Chatway Live Chat plugin version 1.4.8 or earlier are affected. The plugin, commonly referred to as Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons, should be upgraded to at least version 1.4.9 to remove the vulnerability.
Risk and Exploitability
The CVSS score of 7.4 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. With no public exploit listed and not present in the CISA KEV catalog, the risk remains primarily theoretical. The likely attack vector is through the plugin’s configuration or data handling routines, potentially accessible to an authenticated administrator or through a local compromise of the WordPress site. Because the description does not specify a network‑based vector, it is inferred that the risk is mitigated if the site owner promptly applies the available patch.
OpenCVE Enrichment