CVE-2025-48167

2025-07-16 [email protected]
WordPress PHP Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in alexvtn Chatbox Manager wa-chatbox-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chatbox Manager: from n/a through <= 1.2.5.

AnalysisAI

Missing authorization controls in Chatbox Manager WordPress plugin versions 1.2.5 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of role-based access checks, potentially enabling unauthorized users to access or modify sensitive chatbox functionality. With an EPSS score of 0.05% and no evidence of active exploitation, this is a lower-priority vulnerability suitable for routine patching cycles.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), which occurs when a software system fails to properly validate user permissions before granting access to protected resources or operations. In the context of the Chatbox Manager WordPress plugin, the vulnerability likely involves missing capability checks in WordPress hook handlers or API endpoints that should restrict certain administrative or sensitive functions. The plugin architecture probably lacks proper nonce verification, role validation via current_user_can(), or similar WordPress permission enforcement mechanisms. WordPress plugins typically implement access control through capability checks tied to user roles (subscriber, contributor, author, editor, administrator); this vulnerability indicates that one or more functions bypass these checks entirely or apply them inconsistently across different security levels.

Affected ProductsAI

Chatbox Manager plugin by alexvtn (identified via CPE reference wa-chatbox-manager) is affected in all versions from initial release through and including version 1.2.5. The plugin is distributed via WordPress.org plugin repository and is typically installed on WordPress sites running PHP and WordPress core. Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Plugin/wa-chatbox-manager/vulnerability/wordpress-chatbox-manager-plugin-1-2-5-broken-access-control-vulnerability) provides the authoritative affected version range and advisory details.

RemediationAI

Update Chatbox Manager plugin to a version newer than 1.2.5 as soon as a patched release is made available by the plugin author; check the official WordPress plugin repository or the vendor's GitHub repository for the latest stable version. In the interim, if the plugin is not actively used or if chatbox functionality is not critical, consider temporarily deactivating the plugin to eliminate exposure. Site administrators should verify that WordPress user roles and capabilities are correctly configured, ensuring that only intended users (typically administrators or support staff) can access or modify chatbox settings; review user role assignments and consider restricting plugin access via capability management plugins if granular control is needed. Monitor the Patchstack advisory link (https://patchstack.com/database/Wordpress/Plugin/wa-chatbox-manager/vulnerability/wordpress-chatbox-manager-plugin-1-2-5-broken-access-control-vulnerability) for patch release notifications.

Share

CVE-2025-48167 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy