{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12751", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-05T15:05:39.124Z", "datePublished": "2025-11-19T05:45:11.235Z", "dateUpdated": "2026-04-08T16:34:57.099Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:57.099Z"}, "affected": [{"vendor": "elextensions", "product": "WSChat \u2013 WordPress Live Chat", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WSChat \u2013 WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings."}], "title": "WSChat \u2013 WordPress Live Chat <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0be6658d-aec8-404c-a994-bde10a3cdbac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395773%40wschat-live-chat&new=3395773%40wschat-live-chat&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "timeline": [{"time": "2025-11-05T15:20:47.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-18T17:25:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T20:17:18.587081Z", "id": "CVE-2025-12751", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T20:17:52.648Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T20:17:18.587081Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T20:17:47.350Z"}}], "cna": {"title": "WSChat \u2013 WordPress Live Chat <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset", "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "elextensions", "product": "WSChat \u2013 WordPress Live Chat", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-05T15:20:47.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-18T17:25:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0be6658d-aec8-404c-a994-bde10a3cdbac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395773%40wschat-live-chat&new=3395773%40wschat-live-chat&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WSChat \u2013 WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-19T05:45:11.235Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12751", "state": "PUBLISHED", "dateUpdated": "2025-11-19T20:17:52.648Z", "dateReserved": "2025-11-05T15:05:39.124Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-19T05:45:11.235Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WSChat \u2013 WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings."}], "id": "CVE-2025-12751", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-19T06:15:46.443", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395773%40wschat-live-chat&new=3395773%40wschat-live-chat&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0be6658d-aec8-404c-a994-bde10a3cdbac?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:22:40.179632+00:00", "value": {"mitigation_remediation": ["Install the newest version of WSChat in which the missing capability check has been restored, ensuring that only administrators can access the 'reset_settings' endpoint.", "If an update cannot be applied immediately, remove the 'reset_settings' capability from roles other than Administrator. This can be done with a role\u2011management plugin or by adding a custom code snippet that deregisters the AJAX action for non\u2011administrative users.", "As a temporary safeguard, monitor the plugin configuration for unexpected changes, keep a backup of the settings, and consider disabling the chat feature or the entire plugin until a patched version is available."], "summary": {"action": "Apply patch", "impact": "Unauthorized plugin settings reset"}, "threat_synthesis": {"affected_systems": "All WordPress installations that have the WSChat \u2013 WordPress Live Chat plugin installed and running version 3.1.6 or earlier. The flaw is independent of the underlying operating system or theme and targets only the plugin code.", "description_and_impact": "The WSChat \u2013 WordPress Live Chat plugin has a missing capability check on the 'reset_settings' AJAX endpoint in all releases up to 3.1.6. This allows any authenticated user with Subscriber level or higher to reset the plugin\u2019s configuration, disrupting chat availability and any services that depend on the live chat integration. The vulnerability is a classic privilege\u2011escalation problem, identified as CWE-862, where insufficient authorization checks permit unauthorized state changes.", "risk_and_exploitability": "The CVSS score of 4.3 classifies the issue as low severity, while the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Because the flaw requires an authenticated user with Subscriber\u2011level or higher access, the attack vector is login\u2011based; an attacker can trigger the vulnerable AJAX endpoint via a direct web request or through the admin panel. The impact is limited to configuration changes, but it can still cause service disruption if the chat is a critical component of the site."}}}}, "created": "2025-11-20T10:30:40.166542+00:00", "updated": "2026-04-28T10:30:29.016011+00:00", "vendors": ["elextensions", "elextensions$PRODUCT$wschat", "wordpress", "wordpress$PRODUCT$wordpress"]}