Description
The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings — including general settings, display rules, custom CSS, and WooCommerce tab settings — to their defaults by sending a POST request with ecs_reset_settings=1.
Published: 2026-05-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Essential Chat Support plugin fails to verify user authorization when processing the ecs_reset_settings parameter. An attacker who can send a POST request with ecs_reset_settings=1 can reset every plugin configuration—including general settings, display rules, custom CSS, and WooCommerce tab settings—to default values. This constitutes an authorization bypass (CWE‑862) that allows an unauthenticated user to alter operational configuration, potentially disrupting service or compromising the intended configuration of the site.

Affected Systems

All WordPress sites running Essential Chat Support version 1.0.1 or earlier are affected. The plugin is distributed under the essentialplugin:Essential Chat Support label and is commonly deployed through the WordPress plugin repository.

Risk and Exploitability

The impact has a CVSS score of 5.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires only the ability to send a crafted POST request to a publicly accessible WordPress site and does not depend on authenticated credentials or additional privileges. Consequently, the risk is considered moderate, with attackers able to easily manipulate configuration settings without restriction.

Generated by OpenCVE AI on May 16, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Essential Chat Support plugin to the latest version that removes the ecs_reset_settings authorization flaw
  • If an update cannot be applied immediately, temporarily disable the ecs_reset_settings parameter by removing or commenting the relevant code in register-settings.php and ecs-functions.php files
  • Once remediation is applied, verify that the plugin’s configuration is intact and monitor site activity for any anomalous configuration changes

Generated by OpenCVE AI on May 16, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings — including general settings, display rules, custom CSS, and WooCommerce tab settings — to their defaults by sending a POST request with ecs_reset_settings=1.
Title Essential Chat Support <= 1.0.1 - Missing Authorization to Unauthenticated Settings Reset via 'ecs_reset_settings' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-16T02:26:50.140Z

Reserved: 2026-05-15T13:35:04.229Z

Link: CVE-2026-8681

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T03:16:21.007

Modified: 2026-05-16T03:16:21.007

Link: CVE-2026-8681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T04:30:15Z

Weaknesses