WordPress Plugin Vulnerabilities

AtomChat < 1.1.5 - Unauthenticated Credits Update

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'credits' REST API function, allowing unauthenticated attackers to manipulate user credits when the myCred plugin is installed.

Affects Plugins

Plugin icon
atomchat
Fixed in 1.1.5

References

CVE
CVE-2023-46606
URL
https://patchstack.com/database/vulnerability/atomchat/wordpress-atomchat-plugin-1-1-4-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
651b5fab-ca36-4df3-94b1-947865ed7352

Timeline

Publicly Published
2023-10-24 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-04-22 (about 2 years ago)

Other

Published
Title
Published
2024-07-09
Title
Woocommerce OpenPos < 7.0.2 - Unauthenticated Sensitive Information Disclosure
Published
2025-08-25
Title
Page Manager for Elementor <= 2.0.5 - Missing Authorization
Published
2025-10-04
Title
TS Demo Importer <= 0.1.2 - Missing Authorization
Published
2024-02-22
Title
Admin side data storage for Contact Form 7 <= 1.1.1 - Missing Authorization to Unauthenticated Bookmark Status Alteration
Published
2024-06-03
Title
Debug Log Manager < 2.3.2 - Missing Authorization