The WSChat – WordPress Live Chat plugin, developed by elextensions, suffers from a missing authorization vulnerability identified as CVE-2025-12751 (CWE-862). This flaw exists in the 'reset_settings' AJAX endpoint, which lacks proper capability checks to verify if the requesting user has sufficient privileges to perform a settings reset. As a result, any authenticated user with at least Subscriber-level access can invoke this endpoint to reset the plugin's configuration to default values. This vulnerability affects all versions up to and including 3.1.6. The issue arises because the plugin fails to enforce role-based access control on a sensitive administrative function, allowing lower-privileged users to perform actions typically reserved for administrators. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low attack complexity, and privileges are required, but there is no impact on confidentiality or availability, only integrity (unauthorized modification of plugin settings). No user interaction is needed beyond authentication. No known exploits have been observed in the wild, and no patches have been published at the time of disclosure. This vulnerability could be leveraged to disrupt chat service configurations, potentially impacting customer support operations or enabling further attacks if security settings are weakened.

The primary impact of this vulnerability is unauthorized modification of the WSChat plugin's settings by users with minimal privileges. This can lead to disruption of live chat services, affecting customer engagement and support capabilities. Altered settings might disable security features or change operational parameters, potentially exposing the site to further risks. While it does not directly lead to data leakage or denial of service, the integrity compromise can indirectly affect business operations and user trust. Organizations relying on WSChat for critical communication may experience degraded service quality or increased administrative overhead to restore configurations. Since exploitation requires only authenticated Subscriber-level access, attackers who gain low-level user accounts or compromise such accounts can leverage this vulnerability. The absence of known exploits reduces immediate risk, but the vulnerability remains a concern for sites with multiple user roles or weak account controls.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict Subscriber and other low-privilege user accounts strictly, ensuring only trusted users have such access. 2) Employ WordPress role management plugins to further limit capabilities and monitor for unauthorized privilege escalations. 3) Disable or restrict access to the WSChat plugin for non-administrative users if feasible. 4) Monitor web server and WordPress logs for suspicious AJAX requests targeting 'reset_settings' endpoints, especially from low-privilege accounts. 5) Consider temporarily deactivating the WSChat plugin if live chat is not critical or if risk tolerance is low. 6) Stay alert for vendor updates or patches and apply them promptly. 7) Implement web application firewalls (WAFs) with custom rules to block unauthorized AJAX calls to sensitive plugin endpoints. These targeted steps go beyond generic advice by focusing on access control hardening, monitoring, and temporary containment.