CVE-2025-12751 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WSChat – WordPress Live Chat plugin developed by elextensions. The issue arises from the absence of a capability check on the 'reset_settings' AJAX endpoint, which is responsible for resetting the plugin's configuration settings. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this endpoint and reset the plugin settings without proper authorization. Since WordPress Subscriber roles typically have limited permissions, this vulnerability effectively elevates their ability to modify plugin configurations, potentially disrupting chat functionality or resetting customizations. The vulnerability affects all versions of the plugin up to and including 3.1.6. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (remote), requires low attack complexity, and low privileges but no user interaction. The impact is limited to integrity, as confidentiality and availability are not directly affected. No public exploits are known at this time, and no patches have been linked yet. The vulnerability was published on November 19, 2025, and assigned by Wordfence. The flaw could be leveraged to disrupt customer communication channels or force administrative overhead to restore settings, impacting business operations relying on live chat support.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of their WordPress-based customer support infrastructure. Unauthorized resetting of WSChat plugin settings could lead to temporary loss of chat functionality, misconfiguration, or removal of custom settings, potentially degrading customer experience and support responsiveness. While it does not expose sensitive data or cause denial of service, the disruption could affect e-commerce sites, service providers, and any business relying on live chat for client interaction. Organizations with multiple users having Subscriber-level access, such as content contributors or registered customers, face a higher risk of exploitation. The impact is more pronounced for companies with high customer interaction volumes or those in regulated sectors where service continuity is critical. Additionally, the lack of known exploits suggests a window of opportunity for attackers to develop weaponized code, emphasizing the need for proactive mitigation.

1. Immediately audit user roles and permissions to ensure that only trusted users have Subscriber-level or higher access, minimizing the attack surface. 2. Implement custom capability checks on the 'reset_settings' AJAX endpoint by modifying the plugin code or using WordPress hooks to restrict access to Administrator roles only. 3. Monitor plugin updates from elextensions and apply patches promptly once released. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block unauthorized AJAX requests targeting the reset_settings endpoint. 5. Conduct regular security reviews and penetration tests focusing on plugin endpoints to identify missing authorization issues. 6. Educate site administrators about the risks of granting unnecessary privileges and encourage the principle of least privilege. 7. Consider temporarily disabling the WSChat plugin if live chat is not critical until a secure version is available. 8. Maintain backups of plugin settings and configurations to enable quick restoration if unauthorized resets occur.