CVE-2025-12751 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WSChat – WordPress Live Chat plugin, a popular plugin used to provide live chat functionality on WordPress websites. The vulnerability arises because the 'reset_settings' AJAX endpoint lacks proper capability checks, allowing any authenticated user with at least Subscriber-level privileges to reset the plugin's settings. This missing authorization means that users who normally have limited access rights can modify critical plugin configurations without proper permissions. The vulnerability affects all versions up to and including 3.1.6. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (remote), requires low attack complexity, and low privileges (authenticated user), but no user interaction is needed. The impact is limited to integrity, as attackers can alter plugin settings but cannot directly compromise confidentiality or availability. No known exploits have been reported in the wild, and no patches were listed at the time of publication. The vulnerability could be exploited by malicious insiders or compromised accounts to disrupt chat services or prepare for further attacks by misconfiguring the plugin.

For European organizations, this vulnerability could lead to unauthorized changes in live chat configurations, potentially disrupting customer service operations or enabling attackers to manipulate chat behavior for social engineering or phishing attacks. While it does not directly expose sensitive data or cause denial of service, altered settings could degrade user experience or facilitate further exploitation. Organizations relying on WSChat for customer interaction, especially in sectors like e-commerce, finance, or public services, may face reputational damage or operational challenges. The requirement for authenticated access limits exposure but does not eliminate risk, particularly in environments with weak user access controls or where Subscriber-level accounts are widely distributed. The lack of known exploits suggests limited current threat but does not preclude future exploitation, especially as the vulnerability becomes public knowledge.

European organizations should immediately audit user roles and permissions on WordPress sites using WSChat to ensure that only trusted users have Subscriber-level or higher access. Implement strict access controls and consider restricting or disabling the 'reset_settings' AJAX endpoint via web application firewalls or custom code until an official patch is released. Monitoring and alerting on configuration changes to the WSChat plugin can help detect unauthorized resets promptly. Applying the latest plugin updates once available is critical. Additionally, organizations should enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. For high-risk environments, consider isolating or limiting plugin usage or replacing WSChat with alternative solutions that have robust authorization controls.