CVE-2025-31596

Vulnerability

Overview

The Chat by Chatwee plugin for WordPress (versions up to and including 2.1.3) suffers from a Missing Authorization vulnerability. This is a broken access control issue where the plugin fails to properly verify permissions for certain functions, allowing unprivileged users to execute actions meant for higher-privileged roles [1].

Exploitation

Details

An attacker who can reach the vulnerable endpoints (typically any authenticated or even unauthenticated user depending on the missing check) can exploit this flaw. The root cause is the lack of nonce tokens or capability checks in one or more administrative functions, making it possible to bypass intended access restrictions [1]. No special network position is required beyond normal web access.

Impact

Successful exploitation enables an attacker to perform unauthorized administrative actions, such as altering plugin settings or accessing sensitive data. Such broken access control vulnerabilities are often targeted in mass-exploit campaigns, affecting thousands of sites regardless of size or popularity [1].

Mitigation

The vendor has released a patch; users must update the plugin to version 2.1.4 or later. If updating is not immediately possible, site owners should contact their hosting provider for assistance [1].