Platform
wordpress
Component
wpguppy-lite
Fixed in
1.1.5
1.1.5
CVE-2025-6792 describes an Information Disclosure vulnerability affecting the One to one user Chat plugin developed by WPGuppy for WordPress. This vulnerability allows unauthenticated attackers to access private chat messages between users. The issue stems from a missing capability check on the /wp-json/guppylite/v2/channel-authorize REST endpoint. Affected versions include those prior to and including version 1.1.4; a patch is expected to resolve this issue.
The primary impact of CVE-2025-6792 is the unauthorized exposure of sensitive private chat messages. An attacker can leverage this vulnerability to intercept and view communications between WordPress users who utilize the One to one user Chat plugin. This could lead to the compromise of confidential information, reputational damage, and potential legal repercussions depending on the nature of the conversations. The lack of authentication required to exploit the vulnerability significantly broadens the potential attack surface, making it accessible to a wide range of malicious actors.
CVE-2025-6792 was publicly disclosed on 2026-02-13. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's ease of exploitation, requiring no authentication, suggests a potential for opportunistic exploitation if a PoC is released. The vulnerability has not been added to the CISA KEV catalog as of this date.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-6792 is to upgrade the One to one user Chat plugin to a version newer than 1.1.4, once a patched version is released by WPGuppy. Until a patch is available, consider temporarily disabling the plugin to prevent unauthorized access to chat messages. As a temporary workaround, restrict access to the /wp-json/guppylite/v2/channel-authorize endpoint using a WordPress firewall or security plugin, although this may impact legitimate plugin functionality. Monitor WordPress access logs for suspicious activity targeting this endpoint.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6792 is an Information Disclosure vulnerability in the One to one user Chat plugin for WordPress, allowing unauthenticated attackers to view private chat messages due to a missing capability check.
You are affected if your WordPress site uses the One to one user Chat plugin and is running version 1.1.4 or earlier. Upgrade as soon as a patch is available.
Upgrade the One to one user Chat plugin to a version newer than 1.1.4. Temporarily disable the plugin or restrict access to the vulnerable endpoint as a workaround until the patch is applied.
No active exploitation has been confirmed as of this date, but the vulnerability's ease of exploitation suggests a potential risk.
Check the WPGuppy website and the WordPress plugin directory for official advisories and updates regarding CVE-2025-6792.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.