RumbleTalk Live Group Chat < 6.2.0 – Missing Authorization via handleRequest | CVE 2023-45828 | Plugin Vulnerabilities

Description

The RumbleTalk Live Group Chat plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handleRequest AJAX function in versions up to, and including, 6.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve or update tokens, create, update, refresh, and delete chats, and create accounts.

Affects Plugins

rumbletalk-chat-a-chat-with-themes

Fixed in 6.2.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d9d6e168-a768-4062-9ef1-0be9d6c65c51

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Verified

No

WPVDB ID

f7760439-7016-421f-bb89-706ce126401d

Timeline

Publicly Published

2023-10-13 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-12 (about 2 years ago)

Other

Published

Title

Published

2026-03-02

Title

Mailercloud – Integrate webforms and synchronize website contacts <= 1.0.7 - Missing Authorization

Published

2024-12-14

Title

Torod – The smart shipping and delivery portal for e-shops and retailers < 1.8 - Missing Authorization to Unauthenticated Plugin Settings Update

Published

2023-12-27

Title

FunnelKit Checkout < 3.11.0 - Unauthenticated Arbitrary Content Deletion

Published

2025-04-15

Title

JetTricks < 1.5.1.1 - Missing Authorization

Published

2025-12-11

Title

Premmerce Brands for WooCommerce < 1.2.14 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update