WordPress Security Bulletin: One to one user Chat by WPGuppy Plugin Vulnerability (CVE-2025-6792)

On this page

Security Alert Summary

The One to one user Chat by WPGuppy WordPress plugin contains a vulnerability that can allow unauthenticated attackers to access private chat content. The issue is caused by a missing capability check on a REST endpoint, which can enable interception and viewing of private messages between users.


CVE Details

  • CVE ID: CVE-2025-6792
  • Affected plugin / component: One to one user Chat by WPGuppy plugin for WordPress
  • Affected versions: All versions up to, and including, 1.1.4
  • Published: February 14, 2026 at 7:16:07 AM
  • Last modified: February 14, 2026 at 7:16:07 AM
  • CVSS v3.1 base score / severity / vector: 5.3 / MEDIUM / CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Authentication / privileges / user interaction: Privileges Required: NONE; User Interaction: NONE (unauthenticated access possible)
  • Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
  • CWE / weakness ID: CWE-306

Technical Details

The vulnerability is caused by a missing capability check on the REST endpoint /wp-json/guppylite/v2/channel-authorize. Because the endpoint does not enforce the expected permission checks, unauthenticated requests can reach functionality intended to authorize or manage private chat channels. As described in the CVE, this lack of authorization makes it possible for attackers to intercept and view private chat messages between users.

The issue exists in all plugin versions up to and including 1.1.4. The CVE description identifies the specific endpoint lacking the capability check; no additional functions or endpoints are named in the provided entry.


How This Could Impact Your Website

Consider a site with several user roles: a site owner who manages plugins, internal staff who use the chat for coordination, and external contributors or contractors who communicate via the plugin. If the endpoint can be accessed without proper authorization, an unauthenticated attacker could view private chat messages exchanged between these users. Practical consequences include exposure of private conversation content and any sensitive information shared in those chats, and an increased risk of targeted phishing or social engineering based on information gleaned from messages.

The confidentiality impact here is rated as LOW in the CVSS data, which indicates limited exposure rather than full system compromise. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available (the CVE notes affected versions through 1.1.4).
  • Review and reduce unnecessary user roles, especially contributor-level accounts and other accounts with messaging access.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce your attack surface.
  • Monitor site activity and logs for unusual access patterns or unexpected requests to REST endpoints like /wp-json/guppylite/v2/channel-authorize.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References