Skip to main content

Chatway Live Chat EUVDEUVD-2026-36878

| CVE-2026-49082 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-15 Patchstack GHSA-7q28-f9qc-33fv
7.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
4.3 MEDIUM

Network-reachable WordPress endpoint exploitable by any subscriber (PR:L, AC:L, UI:N); description supports only limited confidentiality impact, with no evidence of integrity, availability, or cross-component scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:36 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in Chatway Live Chat &#8211; AI Chatbot, Customer Support, FAQ &amp; Helpdesk Customer Service &amp; Chat Buttons <= 1.4.8 versions.

AnalysisAI

Sensitive data exposure in the Chatway Live Chat WordPress plugin (versions <= 1.4.8) allows authenticated subscriber-level users to access information they should not have visibility into. The flaw, reported by Patchstack and tracked as CWE-201 (Insertion of Sensitive Information Into Sent Data), has a CVSS 3.1 score of 7.4 with scope change. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Chatway Live Chat is a WordPress plugin providing live chat, AI chatbot, helpdesk, FAQ and customer-support widget functionality (CPE: cpe:2.3:a:chatway_live_chat:chatway_live_chat...:*). The root cause class is CWE-201, where sensitive information is inserted into data that is sent to actors not authorized to view it - typically via a REST/AJAX endpoint or rendered widget that fails to filter response fields based on the requester's role. Because WordPress assigns every registered user at least the subscriber role by default, any endpoint that authorizes 'logged-in' users without further capability checks effectively exposes data to the lowest privileged tier of the site.

RemediationAI

Upstream fix availability is not independently confirmed from the supplied data; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/chatway-live-chat/vulnerability/wordpress-chatway-live-chat-ai-chatbot-customer-support-faq-helpdesk-customer-service-chat-buttons-plugin-1-4-8-sensitive-data-exposure-vulnerability should be consulted for the patched release, and administrators should upgrade Chatway Live Chat to the first version above 1.4.8 once published. Until a fix is applied, restrict or disable open user registration in WordPress (Settings → General → 'Anyone can register') so that attackers cannot trivially obtain a subscriber account - accepting the trade-off that legitimate self-service signup is blocked - and audit existing subscriber-tier accounts for unfamiliar users. As a compensating control, block or rate-limit the plugin's REST/AJAX endpoints (typically under /wp-json/chatway/ and admin-ajax.php actions prefixed with the plugin slug) via a WAF or web server rules for non-administrator sessions, recognising this may break legitimate chat functionality for logged-in customers.

Share

EUVD-2026-36878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy