{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6792", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-27T14:49:03.655Z", "datePublished": "2026-02-14T06:42:25.584Z", "dateUpdated": "2026-04-08T16:32:55.375Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:55.375Z"}, "affected": [{"vendor": "amentotechpvtltd", "product": "One to one user Chat by WPGuppy", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to intercept and view private chat messages between users."}], "title": "One to one user Chat by WPGuppy <= 1.1.4 - Unauthenticated Information Disclosure via Chat Message Interception", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03774303-c9f4-4666-ac88-78f92aaf81dc?source=cve"}, {"url": "https://wordpress.org/plugins/wpguppy-lite/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2026-02-13T18:16:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:15:53.138914Z", "id": "CVE-2025-6792", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:16:00.898Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6792", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:15:53.138914Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:15:57.646Z"}}], "cna": {"title": "One to one user Chat by WPGuppy <= 1.1.4 - Unauthenticated Information Disclosure via Chat Message Interception", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "amentotechpvtltd", "product": "One to one user Chat by WPGuppy", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:16:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03774303-c9f4-4666-ac88-78f92aaf81dc?source=cve"}, {"url": "https://wordpress.org/plugins/wpguppy-lite/"}], "descriptions": [{"lang": "en", "value": "The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to intercept and view private chat messages between users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:55.375Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6792", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:55.375Z", "dateReserved": "2025-06-27T14:49:03.655Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:25.584Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to intercept and view private chat messages between users."}, {"lang": "es", "value": "El plugin One to one user Chat de WPGuppy para WordPress es vulnerable a acceso no autorizado a datos debido a una falta de comprobaci\u00f3n de capacidad en el endpoint REST /wp-json/guppylite/v2/channel-authorize en todas las versiones hasta la 1.1.4, inclusive. Esto hace posible que atacantes no autenticados intercepten y vean mensajes de chat privados entre usuarios."}], "id": "CVE-2025-6792", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:07.270", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wpguppy-lite/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03774303-c9f4-4666-ac88-78f92aaf81dc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.4]"}}], "product": "one_to_one_user_chat_by_wpguppy", "vendor": "amentotechpvtltd"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T13:49:52.439340+00:00", "value": {"mitigation_remediation": ["Update the One to one user Chat by WPGuppy plugin to the latest version that includes the capability check fix.", "Restrict access to the /wp-json/guppylite/v2/channel-authorize endpoint by configuring the site to allow requests only from authenticated users, for example through .htaccess rules or a security plugin.", "Monitor site traffic and REST API logs for unexpected requests to the /wp-json/guppylite/v2 channel\u2011authorize endpoint to detect potential exploitation attempts."], "summary": {"action": "Apply Update", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the One to one user Chat by WPGuppy plugin \u2013 any version up to and including 1.1.4 of the plugin. The affected vendor is amentotechpvtltd, and the issue is present in all installed copies of the plugin without an updated version.", "description_and_impact": "The One to one user Chat by WPGuppy plugin contains a missing capability check on the /wp-json/guppylite/v2/channel-authorize REST endpoint. Because the endpoint accepts requests without verifying the user\u2019s access rights, unauthenticated attackers can make HTTP calls to this endpoint and intercept private chat messages exchanged between site users. The flaw is categorized as CWE-306 (Missing Authorization for Functionality). A successful exploitation exposes confidential conversation data, potentially revealing personal identifiers or sensitive content, but it does not provide arbitrary code execution or direct control of the underlying WordPress system.", "risk_and_exploitability": "The published CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of confirmed exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited over the network through the public REST endpoint, which is reachable via any user\u2019s browser or by automated HTTP requests. Because no authentication or capability check is performed, any client with network access to the site can send a request to the endpoint and receive the contents of private chats. This risk is effectively mitigated by applying a patch that restores proper capability checks or by preventing the endpoint from being accessed by unauthenticated users."}}}}, "created": "2026-02-16T12:03:11.799809+00:00", "updated": "2026-04-22T14:00:18.227769+00:00", "vendors": ["amentotechpvtltd", "amentotechpvtltd$PRODUCT$one_to_one_user_chat_by_wpguppy", "wordpress", "wordpress$PRODUCT$wordpress"]}