WP-Safety

Group Chat & Video Chat by AtomChat Security & Risk Analysis

wordpress.org/plugins/atomchat

AtomChat helps you add group chat (or chatrooms), user to user chat, voice & video calling to your WordPress site.

400 active installs v1.1.8 PHP 5.6+ WP 5.0+ Updated Mar 31, 2026
buddypress-chatchatroomgroup-chatuser-to-user-chatwordpress-chat
72
B · Generally Safe
CVEs total5
Unpatched1
Last CVEMar 20, 2026
Download
Safety Verdict

Is Group Chat & Video Chat by AtomChat Safe to Use in 2026?

Mostly Safe

Score 72/100

Group Chat & Video Chat by AtomChat is generally safe to use. 5 past CVEs were resolved.

5 known CVEs 1 unpatched Last CVE: Mar 20, 2026Updated 1mo ago
Risk Assessment

The atomchat plugin exhibits a concerning security posture, marked by a significant number of unprotected entry points and a history of medium-severity vulnerabilities, including Cross-Site Scripting and Missing Authorization. While the plugin demonstrates good practices in SQL query handling and output escaping, the high percentage of unprotected AJAX handlers and REST API routes presents a substantial attack surface. The presence of the 'unserialize' function is a red flag, especially when combined with unsanitized input paths identified in the taint analysis. The vulnerability history, particularly the unpatched CVEs and recurring themes of XSS and authorization flaws, indicates a pattern of potential weaknesses that have been exploited in the past and may continue to be present.

Despite strengths in areas like SQL prepared statements and output escaping, the numerous unprotected entry points and the historical vulnerability data create a high-risk profile. The plugin's last reported vulnerability in 2026 suggests a recent or ongoing maintenance issue, which, coupled with unpatched CVEs, amplifies the risk. The plugin's security is compromised by its exposed functionalities and its historical tendency to harbor exploitable flaws. Users should exercise extreme caution and consider alternatives until these issues are fully addressed.

Key Concerns

  • High number of unprotected AJAX handlers
  • REST API route without permission callback
  • Unpatched CVEs (2)
  • History of Cross-Site Scripting
  • History of Missing Authorization
  • Unsanitized paths in taint analysis
  • Dangerous function 'unserialize' used
  • Only 2 capability checks found
  • Only 1 nonce check found
Vulnerabilities
5 published

Group Chat & Video Chat by AtomChat Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025 · unpatched
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2026-1253medium · 4.3Missing Authorization

Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update

Mar 20, 2026 Patched in 1.1.8 (38d)
CVE-2025-31831medium · 4.3Missing Authorization

AtomChat <= 1.1.7 - Missing Authorization

Apr 1, 2025 Patched in 1.1.8 (380d)
CVE-2025-31532medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AtomChat <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 31, 2025Unpatched
CVE-2024-10232medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AtomChat <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via atomchat Shortcode

Oct 31, 2024 Patched in 1.1.6 (1d)
CVE-2023-46606medium · 5.3Missing Authorization

AtomChat <= 1.1.4 - Missing Authorization via credits REST API Endpoint

Oct 24, 2023 Patched in 1.1.5 (373d)
Version History

Group Chat & Video Chat by AtomChat Release Timeline

v1.1.8Current1 CVE
CVE-2025-31532
v1.1.73 CVEs
CVE-2025-31532 CVE-2026-1253 CVE-2025-31831
v1.1.63 CVEs
CVE-2025-31532 CVE-2026-1253 CVE-2025-31831
v1.1.54 CVEs
CVE-2025-31532 CVE-2026-1253 CVE-2025-31831 +1 more
v1.1.45 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.1.35 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.1.25 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.1.15 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.1.05 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.95 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.85 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.75 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.65 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.55 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.45 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.35 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.25 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.15 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
v1.0.05 CVEs
CVE-2023-46606 CVE-2025-31532 CVE-2026-1253 +2 more
Code Analysis
Analyzed Apr 16, 2026

Group Chat & Video Chat by AtomChat Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
0 prepared
Unescaped Output
9
103 escaped
Nonce Checks
1
Capability Checks
2
File Operations
4
External Requests
4
Bundled Libraries
0

Dangerous Functions Found

unserialize$role_data = (!empty(get_option("atomchat_".$value))) ? unserialize(get_option("atomchat_".$value)) admin/atomchat-admin.php:216
unserialize$creditToDeduct = unserialize(get_option("atomchat_".$role));plugins/mycred/credits.php:73
unserialize$details = !empty(get_option("atomchat_".$roles)) ? unserialize(get_option("atomchat_".$roles)) : ""plugins/mycred/credits.php:168
unserialize$rolefeature = unserialize($rolefeature);plugins/mycred/credits.php:208

Output Escaping

92% escaped112 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
atomchat_update_credeits (includes/atomchat_requesthandler.php:214)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

Group Chat & Video Chat by AtomChat Attack Surface

Entry Points10
Unprotected8

AJAX Handlers 7

authwp_ajax_atomchat_actionatomchat.php:249
authwp_ajax_atomchatCheckLicenseKeyincludes/atomchat_requesthandler.php:288
authwp_ajax_atomchat_friend_ajaxincludes/atomchat_requesthandler.php:289
authwp_ajax_atomchat_mycred_settingincludes/atomchat_requesthandler.php:290
authwp_ajax_atomchat_update_credeitsincludes/atomchat_requesthandler.php:291
authwp_ajax_atomchat_update_auth_ajaxincludes/atomchat_requesthandler.php:292
authwp_ajax_atomchat_update_layout_ajaxincludes/atomchat_requesthandler.php:293

REST API Routes 2

POST/wp-json/api/v1atomchatLoginatomchat.php:211
POST/wp-json/plugins/mycredcreditsatomchat.php:221

Shortcodes 1

[atomchat] includes/atomchat_cloud.php:373
WordPress Hooks 10
actionrest_api_initatomchat.php:210
actionrest_api_initatomchat.php:220
filterhttps_ssl_verifyatomchat.php:246
actionadmin_menuatomchat.php:250
actionwp_headincludes/atomchat_cloud.php:368
actionwp_headincludes/atomchat_cloud.php:370
actioninitincludes/atomchat_cloud.php:372
actionatomchat_buddypress_groups_sync_schedulerincludes/atomchat_cloud.php:376
actiongroups_group_create_completeincludes/atomchat_cloud.php:377
actiongroups_details_updatedincludes/atomchat_cloud.php:378

Scheduled Events 2

atomchat_buddypress_groups_sync_scheduler
atomchat_buddypress_groups_sync_scheduler
Maintenance & Trust

Group Chat & Video Chat by AtomChat Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 31, 2026
PHP min version5.6
Downloads35K

Community Trust

Rating92/100
Number of ratings8
Active installs400
Alternatives

Group Chat & Video Chat by AtomChat Alternatives

RumbleTalk Live Group Chat – HTML5

RumbleTalk Live Group Chat – HTML5

rumbletalk-chat-a-chat-with-themes

A
96

Live group chat plugin for WordPress. Integrate it into your website in minutes. Create one or multiple rooms effortlessly.

800 3 CVEs
One to one user Chat by WPGuppy

One to one user Chat by WPGuppy

wpguppy-lite

C
57

WPGuppy is a well thought and clinically designed and developed WordPress chat plugin which has been engineered to fulfill the market needs.

800 1 unpatched
Group chat for WordPress – Minnit Chat

Group chat for WordPress – Minnit Chat

minnit-chat

A
100

Cloud-based chat using your WordPress accounts. Minnit uses SSO to allow you and your WordPress users to communicate with one another.

600 No CVEs
JivoChat Live Chat – WP live chat plugin for WordPress

JivoChat Live Chat – WP live chat plugin for WordPress

jivochat

B
84

Omnichannel Live Chat and Help Desk plugin, optimized for WordPress. Free, fast, easy to install and to use. Turn your visitors into happy customers!

20K 1 CVE
Pure Chat – Live Chat & More!

Pure Chat – Live Chat & More!

pure-chat

A
90

Pure Chat provides a Live Chat plugin with Unlimited Chats for your website!

3K 3 CVEs
Developer Profile

Group Chat & Video Chat by AtomChat Developer Profile

Team AtomChat

1 plugin · 400 total installs

59
trust score
Avg Security Score
72/100
Avg Patch Time
198 days
View full developer profile
Detection Fingerprints

How We Detect Group Chat & Video Chat by AtomChat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/atomchat/includes/atomchat_cloud.php/wp-content/plugins/atomchat/includes/atomchat_selfhosted.php/wp-content/plugins/atomchat/includes/atomchat_requesthandler.php/wp-content/plugins/atomchat/api/v1/atomchatLogin.php/wp-content/plugins/atomchat/plugins/mycred/credits.php/wp-content/plugins/atomchat/images/atom_chat_white_ icon.png
Version Parameters
atomchat/style.css?ver=atomchat/script.js?ver=

HTML / DOM Fingerprints

HTML Comments
Start: To change the default plugin load order to avoid buddypress plugin conflictEnd: To change the default plugin load order to avoid buddypress plugin conflict
Data Attributes
data-atomchat-license-keydata-atomchat-client-id
JS Globals
atomchat_clientidatomchat_old_clientid
REST Endpoints
/wp-json/api/v1/atomchatLogin/wp-json/plugins/mycred/credits
Shortcode Output
[atomchat][atomchat_chatbox]
FAQ

Frequently Asked Questions about Group Chat & Video Chat by AtomChat