CVE-2026-49082

Vulnerability

The Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons plugin for WordPress versions 1.4.8 and earlier contains a sensitive data exposure vulnerability. This flaw allows unauthorized access to subscriber information, which is normally restricted from unprivileged users. The issue affects all installations of the plugin prior to version 1.4.9.

Exploitation

No authentication or special network position is required beyond standard web access to a vulnerable WordPress site. An attacker can exploit the vulnerability remotely by sending crafted requests to the plugin's endpoints that inadvertently disclose subscriber data [1]. The vulnerability is considered highly dangerous and is expected to be incorporated into mass-exploit campaigns targeting thousands of sites [1].

Impact

Successful exploitation permits a malicious actor to view sensitive information about subscribers, such as personal details or chat histories, that should not be accessible to unauthenticated users [1]. This data exposure can be leveraged to launch further attacks, such as social engineering or account compromise, thereby escalating the breach's scope and severity.

Mitigation

The vendor has released version 1.4.9, which resolves the vulnerability. All users are strongly advised to update to this version immediately [1]. For Patchstack users, enabling auto-update for vulnerable plugins is recommended. No virtual patch is available due to the nature of the flaw, so updating is the only effective mitigation [1].