Description
The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings — including general settings, display rules, custom CSS, and WooCommerce tab settings — to their defaults by sending a POST request with ecs_reset_settings=1.
Published: 2026-05-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Essential Chat Support plugin fails to verify user authorization when processing the ecs_reset_settings parameter. An attacker who can send a POST request with ecs_reset_settings=1 can reset every plugin configuration—including general settings, display rules, custom CSS, and WooCommerce tab settings—to default values. This constitutes an authorization bypass (CWE‑862) that allows an unauthenticated user to alter operational configuration, potentially disrupting service or compromising the intended configuration of the site.

Affected Systems

All WordPress sites running Essential Chat Support version 1.0.1 or earlier are affected. The plugin is distributed under the essentialplugin:Essential Chat Support label and is commonly deployed through the WordPress plugin repository.

Risk and Exploitability

The impact has a CVSS score of 5.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires only the ability to send a crafted POST request to a publicly accessible WordPress site and does not depend on authenticated credentials or additional privileges. Consequently, the risk is considered moderate, with attackers able to easily manipulate configuration settings without restriction.

Generated by OpenCVE AI on May 16, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Essential Chat Support plugin to the latest version that removes the ecs_reset_settings authorization flaw
  • If an update cannot be applied immediately, temporarily disable the ecs_reset_settings parameter by removing or commenting the relevant code in register-settings.php and ecs-functions.php files
  • Once remediation is applied, verify that the plugin’s configuration is intact and monitor site activity for any anomalous configuration changes

Generated by OpenCVE AI on May 16, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Essentialplugin
Essentialplugin essential Chat Support
Wordpress
Wordpress wordpress
Vendors & Products Essentialplugin
Essentialplugin essential Chat Support
Wordpress
Wordpress wordpress

Sat, 16 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings — including general settings, display rules, custom CSS, and WooCommerce tab settings — to their defaults by sending a POST request with ecs_reset_settings=1.
Title Essential Chat Support <= 1.0.1 - Missing Authorization to Unauthenticated Settings Reset via 'ecs_reset_settings' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Essentialplugin Essential Chat Support
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-18T17:40:28.240Z

Reserved: 2026-05-15T13:35:04.229Z

Link: CVE-2026-8681

cve-icon Vulnrichment

Updated: 2026-05-18T17:40:14.873Z

cve-icon NVD

Status : Deferred

Published: 2026-05-16T03:16:21.007

Modified: 2026-05-18T17:44:03.697

Link: CVE-2026-8681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:01:04Z

Weaknesses