Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Network-reachable WordPress endpoint exploitable by any subscriber (PR:L, AC:L, UI:N); description supports only limited confidentiality impact, with no evidence of integrity, availability, or cross-component scope change.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Sensitive Data Exposure in Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 versions.
AnalysisAI
Sensitive data exposure in the Chatway Live Chat WordPress plugin (versions <= 1.4.8) allows authenticated subscriber-level users to access information they should not have visibility into. The flaw, reported by Patchstack and tracked as CWE-201 (Insertion of Sensitive Information Into Sent Data), has a CVSS 3.1 score of 7.4 with scope change. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Chatway Live Chat is a WordPress plugin providing live chat, AI chatbot, helpdesk, FAQ and customer-support widget functionality (CPE: cpe:2.3:a:chatway_live_chat:chatway_live_chat...:*). The root cause class is CWE-201, where sensitive information is inserted into data that is sent to actors not authorized to view it - typically via a REST/AJAX endpoint or rendered widget that fails to filter response fields based on the requester's role. Because WordPress assigns every registered user at least the subscriber role by default, any endpoint that authorizes 'logged-in' users without further capability checks effectively exposes data to the lowest privileged tier of the site.
RemediationAI
Upstream fix availability is not independently confirmed from the supplied data; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/chatway-live-chat/vulnerability/wordpress-chatway-live-chat-ai-chatbot-customer-support-faq-helpdesk-customer-service-chat-buttons-plugin-1-4-8-sensitive-data-exposure-vulnerability should be consulted for the patched release, and administrators should upgrade Chatway Live Chat to the first version above 1.4.8 once published. Until a fix is applied, restrict or disable open user registration in WordPress (Settings → General → 'Anyone can register') so that attackers cannot trivially obtain a subscriber account - accepting the trade-off that legitimate self-service signup is blocked - and audit existing subscriber-tier accounts for unfamiliar users. As a compensating control, block or rate-limit the plugin's REST/AJAX endpoints (typically under /wp-json/chatway/ and admin-ajax.php actions prefixed with the plugin slug) via a WAF or web server rules for non-administrator sessions, recognising this may break legitimate chat functionality for logged-in customers.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36878
GHSA-7q28-f9qc-33fv