{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1253", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T19:26:11.841Z", "datePublished": "2026-03-21T03:26:47.861Z", "dateUpdated": "2026-04-14T15:21:58.613Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:32.831Z"}, "affected": [{"vendor": "atomchat", "product": "Group Chat & Video Chat by AtomChat", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options, including critical settings such as API keys, authentication keys, and layout configurations."}], "title": "Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c2980c3-0038-42ab-8751-72c40921477a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/atomchat/trunk/includes/atomchat_requesthandler.php#L175"}, {"url": "https://plugins.trac.wordpress.org/browser/atomchat/tags/1.1.7/includes/atomchat_requesthandler.php#L175"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-03-20T15:17:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:21:51.721224Z", "id": "CVE-2026-1253", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:21:58.613Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1253", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:21:51.721224Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:18:06.920Z"}}], "cna": {"title": "Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "atomchat", "product": "Group Chat & Video Chat by AtomChat", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:17:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c2980c3-0038-42ab-8751-72c40921477a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/atomchat/trunk/includes/atomchat_requesthandler.php#L175"}, {"url": "https://plugins.trac.wordpress.org/browser/atomchat/tags/1.1.7/includes/atomchat_requesthandler.php#L175"}], "descriptions": [{"lang": "en", "value": "The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options, including critical settings such as API keys, authentication keys, and layout configurations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:32.831Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1253", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:21:58.613Z", "dateReserved": "2026-01-20T19:26:11.841Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:47.861Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options, including critical settings such as API keys, authentication keys, and layout configurations."}, {"lang": "es", "value": "El plugin Group Chat &amp; Video Chat by AtomChat para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en las funciones 'atomchat_update_auth_ajax' y 'atomchat_update_layout_ajax' en todas las versiones hasta la 1.1.7, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, actualicen las opciones del plugin, incluyendo configuraciones cr\u00edticas como claves API, claves de autenticaci\u00f3n y configuraciones de dise\u00f1o."}], "id": "CVE-2026-1253", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-21T04:16:52.063", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/atomchat/tags/1.1.7/includes/atomchat_requesthandler.php#L175"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/atomchat/trunk/includes/atomchat_requesthandler.php#L175"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c2980c3-0038-42ab-8751-72c40921477a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Group Chat & Video Chat by AtomChat", "source": "cna", "vendor": "atomchat"}, "product": "group_chat_&_video_chat_by_atomchat", "vendor": "atomchat"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T19:06:20.318127+00:00", "value": {"mitigation_remediation": ["Update the AtomChat plugin to the latest available release.", "Restrict the capabilities of the Subscriber role to prevent access to the vulnerable AJAX endpoints, or use a security plugin to block those endpoints.", "If the AtomChat plugin is not essential, deactivate or delete it entirely.", "Monitor the plugin configuration for unexpected changes and review site logs for unauthorized activity."], "summary": {"action": "Patch", "impact": "Unauthorized modification of plugin settings, including API and authentication keys"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the AtomChat Group Chat & Video Chat plugin version 1.1.7 or any earlier release are affected. The issue applies to all versions up to and including 1.1.7, regardless of other plugin or theme components. Sites running newer releases beyond 1.1.7 are presumed to have the fix.", "description_and_impact": "The AtomChat Group Chat & Video Chat plugin for WordPress allows authenticated users with Subscriber-level access or higher to modify plugin options via the atomchat_update_auth_ajax and atomchat_update_layout_ajax AJAX handlers. The vulnerability results from a missing capability check, enabling unauthorized modification of critical settings such as API keys, authentication credentials, and layout configurations. This capability can compromise the confidentiality of credentials, alter user experience, and potentially create a foothold for further attacks.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score below 1% suggests a low probability of exploitation. Because the attacker only needs an authenticated Subscriber account\u2014a role commonly granted\u2014 the potential for exploitation exists on sites with vulnerable users. No publicly known exploits are reported, and the vulnerability is not listed in CISA's KEV catalog, but the limitations in authorization still require timely remediation to avoid configuration tampering."}}}}, "created": "2026-03-23T09:50:36.588175+00:00", "updated": "2026-04-08T20:01:22.079506+00:00", "vendors": ["atomchat", "atomchat$PRODUCT$group_chat_&_video_chat_by_atomchat", "wordpress", "wordpress$PRODUCT$wordpress"]}