Does One to one user Chat by WPGuppy have any unpatched vulnerabilities?

Yes — One to one user Chat by WPGuppy currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is One to one user Chat by WPGuppy compatible with WordPress 6.9.4?

According to WordPress.org data, One to one user Chat by WPGuppy 1.1.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is One to one user Chat by WPGuppy compatible with PHP 8.1+?

One to one user Chat by WPGuppy requires PHP 8.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is One to one user Chat by WPGuppy updated?

One to one user Chat by WPGuppy was last updated on Mar 12, 2026. Frequent updates are generally a positive security signal.

What is One to one user Chat by WPGuppy's security score?

One to one user Chat by WPGuppy has a WP-Safety security score of 57/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

One to one user Chat by WPGuppy Security & Risk Analysis

wordpress.org/plugins/wpguppy-lite

WPGuppy is a well thought and clinically designed and developed WordPress chat plugin which has been engineered to fulfill the market needs.

800 active installs v1.1.6 PHP 8.1+ WP 6.0+ Updated Mar 12, 2026

chatgroup-chatreal-time-chatuser-to-user-chatvideo-chat

C · Use Caution

CVEs total6

Unpatched1

Last CVEFeb 13, 2026

Plugin page Download

Safety Verdict

Is One to one user Chat by WPGuppy Safe to Use in 2026?

Use With Caution

Score 57/100

One to one user Chat by WPGuppy has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

6 known CVEs 1 unpatched Last CVE: Feb 13, 2026Updated 22d ago

Risk Assessment

The wpguppy-lite plugin v1.1.6 exhibits a mixed security posture. On the positive side, the static analysis shows a strong emphasis on security best practices with a high percentage of properly escaped outputs and a significant portion of SQL queries utilizing prepared statements. The presence of nonce and capability checks on entry points, along with zero unsanitized taint flows, indicates an awareness of fundamental security principles. However, several concerning factors significantly elevate the risk profile. The plugin has a history of six known CVEs, with one critical and one high-severity vulnerability currently unpatched. The types of past vulnerabilities are particularly worrying, including Missing Authentication/Authorization, SQL Injection, Authorization Bypass, Incorrect Privilege Assignment, and Deserialization of Untrusted Data. The presence of 'unserialize' as a dangerous function, combined with the historical deserialization vulnerability, presents a direct and serious risk of Remote Code Execution if not handled with extreme caution and validation.

While the current static analysis shows zero unprotected entry points and no unsanitized taint flows, this does not negate the historical vulnerabilities. The past discovery of critical vulnerabilities like 'Deserialization of Untrusted Data' and 'Missing Authentication for Critical Function' suggests that these issues may exist in the current version or could be reintroduced in future updates without proper vigilance. The critical unpatched vulnerability, in particular, poses an immediate threat. The plugin's substantial vulnerability history, especially the recurring themes of authentication, authorization, and data handling issues, points to systemic weaknesses that require ongoing and rigorous security auditing. Therefore, despite some positive code practices, the significant number and nature of historical and currently unpatched vulnerabilities make this plugin a high-risk component for any WordPress installation.

Key Concerns

Currently unpatched critical vulnerability
Currently unpatched high severity vulnerability
Past critical vulnerabilities: Deserialization, Auth bypass
Past high vulnerabilities: Missing Auth/Authz, SQLi
Dangerous function: unserialize detected
Past medium vulnerabilities (4)
Past low vulnerabilities (0 - but covered by others)
SQL queries without prepared statements (30% of 20)

Vulnerabilities

One to one user Chat by WPGuppy Security Vulnerabilities

CVEs by Year

5 CVEs in 2025

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

6 total CVEs

CVE-2025-6792medium · 5.3Missing Authentication for Critical Function

One to one user Chat by WPGuppy <= 1.1.4 - Unauthenticated Information Disclosure via Chat Message Interception

Feb 13, 2026Unpatched

CVE-2025-49910medium · 5.3Missing Authorization

WPGuppy <= 1.1.4 - Missing Authorization

Aug 14, 2025 Patched in 1.1.5 (83d)

CVE-2025-30775medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WPGuppy <= 1.1.3 - Authenticated (Subscriber+) SQL Injection

Mar 27, 2025 Patched in 1.1.4 (8d)

CVE-2025-24643medium · 5.3Authorization Bypass Through User-Controlled Key

One to one user Chat by WPGuppy <= 1.1.0 - Authorization Bypass

Jan 9, 2025 Patched in 1.1.1 (47d)

CVE-2024-56280high · 8.8Incorrect Privilege Assignment

WPGuppy <= 1.1.0 - Authenticated (Subscriber+) Privilege Escalation

Jan 3, 2025 Patched in 1.1.1 (6d)

CVE-2024-49222critical · 9.8Deserialization of Untrusted Data

WPGuppy <= 1.1.0 - Unauthenticated PHP Object Injection

Jan 3, 2025 Patched in 1.1.1 (6d)

Code Analysis

Analyzed Mar 16, 2026

One to one user Chat by WPGuppy Code Analysis

Dangerous Functions

Raw SQL Queries

14 prepared

Unescaped Output

285 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$userImage = unserialize($info['user_image'], ['allowed_classes' => false]);includes\class-wp-guppy-model.php:213

unserialize$userImage = unserialize($info['user_image'], ['allowed_classes' => false]);includes\class-wp-guppy-rest-api.php:1794

unserialize$message = is_serialized($message) ? unserialize($message, ['allowed_classes' => false]) : $message;includes\class-wp-guppy-rest-api.php:2330

unserialize$message = is_serialized($result['message']) ? unserialize($result['message'], ['allowed_classes' =>includes\class-wp-guppy-rest-api.php:2424

unserialize$messageData['replyMessage'] = !empty($result['reply_message']) ? unserialize($result['reply_messaincludes\class-wp-guppy-rest-api.php:2431

unserialize$replyMessage['attachmentsData'] = !empty($messageDetail['attachments']) ? unserialize($messageDetaiincludes\class-wp-guppy-rest-api.php:2604

unserialize$userImage = unserialize($info['user_image'], ['allowed_classes' => false]);includes\class-wp-guppy-rest-api.php:2829

SQL Query Safety

70% prepared20 total queries

Output Escaping

97% escaped293 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

wpguppy_load_settings (admin\settings\settings.php:103)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

One to one user Chat by WPGuppy Attack Surface

Entry Points5

Unprotected0

AJAX Handlers 3

authwp_ajax_wpguppy_update_guppy_admin_statusadmin\settings\settings.php:17

authwp_ajax_get_wpguppy_whatsapp_user_infoadmin\settings\settings.php:18

authwp_ajax_wpguppy_update_whatsapp_infoadmin\settings\settings.php:19

Shortcodes 2

[getGuppyConversation] public\class-wp-guppy-lite-public.php:56

[wpguppy_lite_chat_init] wpbakery\vc-guppy.php:15

WordPress Hooks 36

actionadmin_menuadmin\settings\settings.php:16

actionelementor/elements/categories_registeredelementor\config.php:31

actioninitelementor\config.php:32

actionplugins_loadedincludes\class-wp-guppy-lite.php:157

actionadmin_enqueue_scriptsincludes\class-wp-guppy-lite.php:172

actionadmin_enqueue_scriptsincludes\class-wp-guppy-lite.php:173

actionwp_enqueue_scriptsincludes\class-wp-guppy-lite.php:188

actionwp_enqueue_scriptsincludes\class-wp-guppy-lite.php:189

actionwp_enqueue_scriptsincludes\class-wp-guppy-rest-api.php:179

actionrest_api_initincludes\class-wp-guppy-rest-api.php:217

filterwpguppy_default_textincludes\functions.php:275

filterguppy_time_slotsincludes\functions.php:322

actioninitincludes\functions.php:333

actionadmin_initincludes\functions.php:334

actionwp_logoutincludes\functions.php:389

filterwpguppy_UserOnlineincludes\functions.php:411

actionwpguppy_UserLastLoginincludes\functions.php:426

actionwpguppy_send_message_to_userincludes\functions.php:446

actionwpguppy_update_user_informationincludes\functions.php:497

filterwpguppy_is_already_friendincludes\functions.php:527

filterwpguppy_count_all_unread_messagesincludes\functions.php:543

filterwpguppy_count_specific_user_unread_messagesincludes\functions.php:567

actionuser_new_formincludes\functions.php:611

actionshow_user_profileincludes\functions.php:612

actionedit_user_profileincludes\functions.php:613

actionuser_registerincludes\functions.php:621

filtermanage_users_columnsincludes\functions.php:685

filtermanage_users_custom_columnincludes\functions.php:731

filterbody_classincludes\functions.php:747

actioninitincludes\functions.php:759

actionadmin_initincludes\functions.php:760

actionadmin_noticesincludes\functions.php:786

actionadmin_footer-users.phpincludes\functions.php:803

actionwp_footerpublic\class-wp-guppy-lite-public.php:55

actionvc_before_initwpbakery\vc-guppy.php:14

actionadmin_noticeswpguppy-lite.php:44

Maintenance & Trust

One to one user Chat by WPGuppy Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version8.1

Downloads24K

Community Trust

Rating84/100

Number of ratings5

Active installs800

Alternatives

One to one user Chat by WPGuppy Alternatives

FlexMeeting – Webinar & Meeting Plugin for Jitsi Meet

webinar-and-video-conference-with-jitsi-meet

Host webinars and video conferences directly on your site. Add branded Jitsi-based meetings and live sessions easily.

1K 2 CVEs

ExpressTechSoftwares Discord Add-on for Paid Memberships Pro

pmpro-discord-add-on

100

This add-on enables connecting your PMPro enabled website to your discord server. Now you can add/remove PMPro members directly to your discord server …

800 No CVEs

RumbleTalk Live Group Chat – HTML5

rumbletalk-chat-a-chat-with-themes

Live group chat plugin for WordPress. Integrate it into your website in minutes. Create one or multiple rooms effortlessly.

800 3 CVEs

Group chat for WordPress – Minnit Chat

minnit-chat

100

Cloud-based chat using your WordPress accounts. Minnit uses SSO to allow you and your WordPress users to communicate with one another.

600 No CVEs

Consolto Video Chat

consolto-videochat

100

4-in-1: video chat, appointment scheduling, AI & live chat and forms for Sales, Support and Consultants.

300 No CVEs

Developer Profile

One to one user Chat by WPGuppy Developer Profile

AmentoTech Private Limited

1 plugin · 800 total installs

trust score

Avg Security Score

57/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect One to one user Chat by WPGuppy

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpguppy-lite/admin/css/wpguppy-admin.css/wp-content/plugins/wpguppy-lite/admin/css/jquery-confirm.min.css/wp-content/plugins/wpguppy-lite/admin/settings/js/settings.js/wp-content/plugins/wpguppy-lite/admin/settings/js/jquery-confirm.min.js

Script Paths

/wp-content/plugins/wpguppy-lite/admin/settings/js/settings.js/wp-content/plugins/wpguppy-lite/admin/settings/js/jquery-confirm.min.js

Version Parameters

wpguppy-lite/admin/css/wpguppy-admin.css?ver=wpguppy-lite/admin/css/jquery-confirm.min.css?ver=wpguppy-lite/admin/settings/js/settings.js?ver=wpguppy-lite/admin/settings/js/jquery-confirm.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpguppy-lite-settingswpguppy-admin

Data Attributes

data-wp-guppy-lite-nonce

JS Globals

scripts_constants

FAQ