CVE-2025-6792
Unauthorized Access in WPGuppy Chat Plugin Exposes Private Messages
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amentotech_private_limited | one_to_one_user_chat_by_wpguppy | to 1.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The One to one user Chat by WPGuppy plugin for WordPress has a vulnerability due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize REST endpoint in all versions up to and including 1.1.4.
This flaw allows unauthenticated attackers to intercept and view private chat messages between users, meaning that private conversations can be accessed without proper authorization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to private chat messages between users of the plugin.
As a result, sensitive or confidential information shared in these chats could be exposed to attackers who do not have permission to view it.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves unauthorized access due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize REST endpoint in the One to one user Chat by WPGuppy plugin. Detection could involve monitoring for unauthorized or unusual access attempts to this specific REST endpoint.
You can use network monitoring tools or web server logs to identify requests to the /wp-json/guppylite/v2/channel-authorize endpoint from unauthenticated sources.
- Use curl or wget to test access to the endpoint without authentication, for example: curl -i https://yourwordpresssite.com/wp-json/guppylite/v2/channel-authorize
- Check web server access logs for unusual or repeated GET or POST requests to /wp-json/guppylite/v2/channel-authorize.
- Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on requests to this endpoint that do not have proper authentication.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the vulnerable One to one user Chat by WPGuppy plugin if it is installed and running on your WordPress site.
Since the plugin has been temporarily closed and is no longer available for download pending a full security review, avoid using or reinstalling it until a secure version is released.
Restrict access to the /wp-json/guppylite/v2/channel-authorize REST endpoint by implementing access controls or firewall rules to block unauthenticated requests.
Monitor your site for any signs of unauthorized access or data leakage related to private chat messages.