平台
wordpress
组件
wpguppy-lite
修复版本
1.1.5
1.1.5
CVE-2025-6792 describes an Information Disclosure vulnerability affecting the One to one user Chat plugin developed by WPGuppy for WordPress. This vulnerability allows unauthenticated attackers to access private chat messages between users. The issue stems from a missing capability check on the /wp-json/guppylite/v2/channel-authorize REST endpoint. Affected versions include those prior to and including version 1.1.4; a patch is expected to resolve this issue.
The primary impact of CVE-2025-6792 is the unauthorized exposure of sensitive private chat messages. An attacker can leverage this vulnerability to intercept and view communications between WordPress users who utilize the One to one user Chat plugin. This could lead to the compromise of confidential information, reputational damage, and potential legal repercussions depending on the nature of the conversations. The lack of authentication required to exploit the vulnerability significantly broadens the potential attack surface, making it accessible to a wide range of malicious actors.
CVE-2025-6792 was publicly disclosed on 2026-02-13. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's ease of exploitation, requiring no authentication, suggests a potential for opportunistic exploitation if a PoC is released. The vulnerability has not been added to the CISA KEV catalog as of this date.
WordPress websites utilizing the One to one user Chat plugin, particularly those running versions 1.1.4 and earlier, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are especially vulnerable, as a compromise of one site could potentially expose data from others.
• wordpress / composer / npm:
grep -r 'wp-json/guppylite/v2/channel-authorize' /var/www/html/wp-content/plugins/one-to-one-user-chat/• wordpress / composer / npm:
wp plugin list | grep one-to-one-user-chat• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-json/guppylite/v2/channel-authorize• generic web: Check WordPress plugin directory for updates and security advisories related to WPGuppy’s One to one user Chat plugin.
disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-6792 is to upgrade the One to one user Chat plugin to a version newer than 1.1.4, once a patched version is released by WPGuppy. Until a patch is available, consider temporarily disabling the plugin to prevent unauthorized access to chat messages. As a temporary workaround, restrict access to the /wp-json/guppylite/v2/channel-authorize endpoint using a WordPress firewall or security plugin, although this may impact legitimate plugin functionality. Monitor WordPress access logs for suspicious activity targeting this endpoint.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-6792 is an Information Disclosure vulnerability in the One to one user Chat plugin for WordPress, allowing unauthenticated attackers to view private chat messages due to a missing capability check.
You are affected if your WordPress site uses the One to one user Chat plugin and is running version 1.1.4 or earlier. Upgrade as soon as a patch is available.
Upgrade the One to one user Chat plugin to a version newer than 1.1.4. Temporarily disable the plugin or restrict access to the vulnerable endpoint as a workaround until the patch is applied.
No active exploitation has been confirmed as of this date, but the vulnerability's ease of exploitation suggests a potential risk.
Check the WPGuppy website and the WordPress plugin directory for official advisories and updates regarding CVE-2025-6792.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。