Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 - Authenticated (Subscriber+) Information Exposure
Description
The Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.4.8What Changed in the Fix
Changes introduced in v1.4.9
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-49082 (Chatway Information Exposure) ## 1. Vulnerability Summary The **Chatway Live Chat** plugin for WordPress (versions <= 1.4.8) is vulnerable to **Sensitive Information Exposure**. The plugin enqueues administrative JavaScript assets on every admin page fo…
Show full research plan
Exploitation Research Plan: CVE-2026-49082 (Chatway Information Exposure)
1. Vulnerability Summary
The Chatway Live Chat plugin for WordPress (versions <= 1.4.8) is vulnerable to Sensitive Information Exposure. The plugin enqueues administrative JavaScript assets on every admin page for all authenticated users, including those with low privileges like Subscribers. During this process, it uses wp_localize_script to export internal configuration settings—most notably the Chatway API Token (chatway_token)—into the global JavaScript context of the page.
An attacker with Subscriber-level access can log into the WordPress dashboard (e.g., to manage their profile) and extract the site's Chatway authentication token from the page source, allowing them to potentially interact with the Chatway remote API as the site owner.
2. Attack Vector Analysis
- Endpoint: Any WordPress admin page (e.g.,
/wp-admin/profile.php). - Hook:
admin_enqueue_scripts(triggered globally in the admin area). - Vulnerable Function:
Chatway\App\Assets::enqueue_admin_assets(). - Authentication: Authenticated (Subscriber+).
- Payload Location: The HTML source code of the admin page, specifically within a
<script>block containing thechatwayJavaScript object.
3. Code Flow
- Hook Registration: In
app/Assets.php, the__constructmethod registers theenqueue_admin_assetsmethod to theadmin_enqueue_scriptsaction:add_action( 'admin_enqueue_scripts', [$this, 'enqueue_admin_assets'] ); - Lack of Authorization: The
enqueue_admin_assetsfunction does not check for user capabilities (e.g.,current_user_can('manage_options')). It executes for any user capable of accessingwp-admin. - Data Localization: Inside
enqueue_admin_assets, the plugin retrieves the sensitive token from the database and passes it to the frontend:// app/Assets.php: line 103-116 wp_localize_script( 'chatway-app', 'chatway', [ // ... 'token' => get_option( 'chatway_token', '' ), 'siteUrl' => get_site_url(), ] ); - Information Exposure: WordPress renders this data into the HTML as:
<script id="chatway-app-js-extra"> var chatway = {"token":"[SENSITIVE_TOKEN]","siteUrl":"..."}; </script>
4. Nonce Acquisition Strategy
This vulnerability is an Information Exposure, not a state-changing operation (like an exploit for CSRF or SQLi). Therefore, no nonce is required to trigger the exposure. The attacker only needs a valid session cookie for a Subscriber-level user to access the admin area.
5. Exploitation Strategy
The goal is to log in as a Subscriber and extract the chatway.token value from the admin dashboard.
Step-by-Step Plan:
- Authentication: Log into the WordPress instance using Subscriber credentials.
- Request: Use the
http_requesttool to perform a GET request to/wp-admin/profile.php. - Extraction:
- Parse the response body.
- Identify the script block containing
var chatway =. - Extract the value of the
tokenkey.
Payload Details:
- Method:
GET - URL:
http://[target]/wp-admin/profile.php - Cookies: Valid WordPress authentication cookies for a Subscriber.
- Expected Response: A
200 OKstatus with HTML containing the localizedchatwayobject.
6. Test Data Setup
To verify the exposure, the environment must have a token configured:
- Set Token:
wp option update chatway_token "CHATWAY-API-SECRET-TOKEN-999" - Create Attacker:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Plugin State: Ensure the plugin is active and
assets/js/app.asset.phpexists (it is part of the default installation).
7. Expected Results
Upon visiting /wp-admin/profile.php as the attacker user, the response HTML should contain the following string (or similar JSON structure):"token":"CHATWAY-API-SECRET-TOKEN-999"
8. Verification Steps
After performing the HTTP request:
- Manual Verification: Check the output of the
http_requestfor the token string. - Comparison: Use WP-CLI to confirm the extracted token matches the value in the database:
wp option get chatway_token
9. Alternative Approaches
Frontend Exposure
The plugin also exposes the userId and emailId of the current user on the frontend via wp_localize_script('chatway-script', 'wpChatwaySettings', ...) in enqueue_chatway().
- Target: The site homepage or any public post.
- Extracted Data:
wpChatwaySettings.emailIdandwpChatwaySettings.userId. - Significance: This allows any logged-in user to see their own data reflected in JS, but more importantly, it confirms the plugin's behavior of enqueuing user data without strict filtering.
Identity Verification Token
If the chatway_secret_key is set, enqueue_chatway() also exposes an HMAC token in wpChatwaySettings. While this token is specific to the current user's email/ID, capturing it is the first step in analyzing if the signature generation is predictable or if the secret key can be recovered via other exposures.
Summary
The Chatway Live Chat plugin exposes the sensitive `chatway_token` API key to all authenticated users by localizing it into a global JavaScript object on every administrative page. A Subscriber-level user can log into the WordPress dashboard and extract this token from the page source, enabling them to potentially impersonate the site owner in communications with the remote Chatway API.
Vulnerable Code
// app/Assets.php (starting around line 91) public function enqueue_admin_assets() { /** * prepare dynamic dependencies */ $file_path = \Chatway::require( 'assets/js/app.asset.php', true ); if( file_exists( $file_path ) ) { $file = require $file_path; $version = $file['version']; $dependencies = $file['dependencies']; $dependencies[] = 'jquery'; /** * enqueue admin assets */ wp_enqueue_style( 'chatway-fonts', \Chatway::url( 'assets/css/fonts.css' ), [], \Chatway::version(), false ); wp_enqueue_script( 'chatway-app', \Chatway::url( 'assets/js/app.js' ), $dependencies, $version, [ 'in_footer' => true, 'strategy' => 'defer' ] ); wp_enqueue_style( 'chatway-app', \Chatway::url( 'assets/css/app.css' ), [], $dependencies, false ); wp_localize_script( 'chatway-app', 'chatway', [ 'images' => \Chatway::url( 'assets/images/' ), 'dashboardUrl' => Url::admin_url(), 'fullScreenUrl' => Url::full_screen_url(), 'supportURL' => \Chatway::support_url(), 'internalEndpoint' => Url::internal_api(), 'remoteEndpoint' => Url::remote_api(), 'landingPage' => Url::landing_page(), "termsOfService" => Url::terms_of_service(), "privacyPolicy" => Url::privacy_policy(), 'token' => get_option( 'chatway_token', '' ), 'siteUrl' => get_site_url(), ] ); } }
Security Fix
@@ -91,7 +91,11 @@ public function enqueue_admin_assets() { /** * prepare dynamic dependencies - */ + */ + if (!current_user_can('manage_options')) { + return; + } + $file_path = \Chatway::require( 'assets/js/app.asset.php', true ); if( file_exists( $file_path ) ) { $file = require $file_path; @@ -122,7 +126,6 @@ 'landingPage' => Url::landing_page(), "termsOfService" => Url::terms_of_service(), "privacyPolicy" => Url::privacy_policy(), - 'token' => get_option( 'chatway_token', '' ), 'siteUrl' => get_site_url(), ] );
Exploit Outline
1. Authentication: Log into the WordPress site as a user with Subscriber-level access or higher. 2. Access Dashboard: Navigate to any admin page (e.g., /wp-admin/profile.php) to trigger the `admin_enqueue_scripts` hook. 3. Identify Localized Script: Inspect the HTML source code of the page for a `<script>` tag with the ID `chatway-app-js-extra`. 4. Extract Token: Locate the `token` key within the `chatway` JavaScript object. The value assigned to this key is the site's sensitive Chatway API token.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.