CVE-2026-49082

Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 - Authenticated (Subscriber+) Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.4.9
Patched in
6d
Time to patch

Description

The Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.4.8
PublishedJune 5, 2026
Last updatedJune 10, 2026
Affected pluginchatway-live-chat

What Changed in the Fix

Changes introduced in v1.4.9

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-49082 (Chatway Information Exposure) ## 1. Vulnerability Summary The **Chatway Live Chat** plugin for WordPress (versions <= 1.4.8) is vulnerable to **Sensitive Information Exposure**. The plugin enqueues administrative JavaScript assets on every admin page fo…

Show full research plan

Exploitation Research Plan: CVE-2026-49082 (Chatway Information Exposure)

1. Vulnerability Summary

The Chatway Live Chat plugin for WordPress (versions <= 1.4.8) is vulnerable to Sensitive Information Exposure. The plugin enqueues administrative JavaScript assets on every admin page for all authenticated users, including those with low privileges like Subscribers. During this process, it uses wp_localize_script to export internal configuration settings—most notably the Chatway API Token (chatway_token)—into the global JavaScript context of the page.

An attacker with Subscriber-level access can log into the WordPress dashboard (e.g., to manage their profile) and extract the site's Chatway authentication token from the page source, allowing them to potentially interact with the Chatway remote API as the site owner.

2. Attack Vector Analysis

  • Endpoint: Any WordPress admin page (e.g., /wp-admin/profile.php).
  • Hook: admin_enqueue_scripts (triggered globally in the admin area).
  • Vulnerable Function: Chatway\App\Assets::enqueue_admin_assets().
  • Authentication: Authenticated (Subscriber+).
  • Payload Location: The HTML source code of the admin page, specifically within a <script> block containing the chatway JavaScript object.

3. Code Flow

  1. Hook Registration: In app/Assets.php, the __construct method registers the enqueue_admin_assets method to the admin_enqueue_scripts action:
    add_action( 'admin_enqueue_scripts', [$this, 'enqueue_admin_assets'] );
    
  2. Lack of Authorization: The enqueue_admin_assets function does not check for user capabilities (e.g., current_user_can('manage_options')). It executes for any user capable of accessing wp-admin.
  3. Data Localization: Inside enqueue_admin_assets, the plugin retrieves the sensitive token from the database and passes it to the frontend:
    // app/Assets.php: line 103-116
    wp_localize_script(
        'chatway-app', 'chatway', [
            // ...
            'token'            => get_option( 'chatway_token', '' ),
            'siteUrl'          => get_site_url(),
        ] 
    );
    
  4. Information Exposure: WordPress renders this data into the HTML as:
    <script id="chatway-app-js-extra">
    var chatway = {"token":"[SENSITIVE_TOKEN]","siteUrl":"..."};
    </script>
    

4. Nonce Acquisition Strategy

This vulnerability is an Information Exposure, not a state-changing operation (like an exploit for CSRF or SQLi). Therefore, no nonce is required to trigger the exposure. The attacker only needs a valid session cookie for a Subscriber-level user to access the admin area.

5. Exploitation Strategy

The goal is to log in as a Subscriber and extract the chatway.token value from the admin dashboard.

Step-by-Step Plan:

  1. Authentication: Log into the WordPress instance using Subscriber credentials.
  2. Request: Use the http_request tool to perform a GET request to /wp-admin/profile.php.
  3. Extraction:
    • Parse the response body.
    • Identify the script block containing var chatway =.
    • Extract the value of the token key.

Payload Details:

  • Method: GET
  • URL: http://[target]/wp-admin/profile.php
  • Cookies: Valid WordPress authentication cookies for a Subscriber.
  • Expected Response: A 200 OK status with HTML containing the localized chatway object.

6. Test Data Setup

To verify the exposure, the environment must have a token configured:

  1. Set Token: wp option update chatway_token "CHATWAY-API-SECRET-TOKEN-999"
  2. Create Attacker: wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Plugin State: Ensure the plugin is active and assets/js/app.asset.php exists (it is part of the default installation).

7. Expected Results

Upon visiting /wp-admin/profile.php as the attacker user, the response HTML should contain the following string (or similar JSON structure):
"token":"CHATWAY-API-SECRET-TOKEN-999"

8. Verification Steps

After performing the HTTP request:

  1. Manual Verification: Check the output of the http_request for the token string.
  2. Comparison: Use WP-CLI to confirm the extracted token matches the value in the database:
    wp option get chatway_token

9. Alternative Approaches

Frontend Exposure

The plugin also exposes the userId and emailId of the current user on the frontend via wp_localize_script('chatway-script', 'wpChatwaySettings', ...) in enqueue_chatway().

  • Target: The site homepage or any public post.
  • Extracted Data: wpChatwaySettings.emailId and wpChatwaySettings.userId.
  • Significance: This allows any logged-in user to see their own data reflected in JS, but more importantly, it confirms the plugin's behavior of enqueuing user data without strict filtering.

Identity Verification Token

If the chatway_secret_key is set, enqueue_chatway() also exposes an HMAC token in wpChatwaySettings. While this token is specific to the current user's email/ID, capturing it is the first step in analyzing if the signature generation is predictable or if the secret key can be recovered via other exposures.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Chatway Live Chat plugin exposes the sensitive `chatway_token` API key to all authenticated users by localizing it into a global JavaScript object on every administrative page. A Subscriber-level user can log into the WordPress dashboard and extract this token from the page source, enabling them to potentially impersonate the site owner in communications with the remote Chatway API.

Vulnerable Code

// app/Assets.php (starting around line 91)
public function enqueue_admin_assets() {
    /**
     * prepare dynamic dependencies 
     */ 
    $file_path = \Chatway::require( 'assets/js/app.asset.php', true );
    if( file_exists( $file_path ) ) {
        $file = require $file_path;
        $version = $file['version'];
        $dependencies = $file['dependencies'];
        $dependencies[] = 'jquery';

        /**
         * enqueue admin assets 
         */ 
        wp_enqueue_style( 'chatway-fonts', \Chatway::url( 'assets/css/fonts.css' ), [], \Chatway::version(), false );
        wp_enqueue_script(
            'chatway-app', \Chatway::url( 'assets/js/app.js' ), $dependencies, $version, [
                'in_footer' => true,
                'strategy'  => 'defer'
            ] 
        );
        wp_enqueue_style( 'chatway-app', \Chatway::url( 'assets/css/app.css' ), [], $dependencies, false );

        wp_localize_script(
            'chatway-app', 'chatway', [
                'images'           => \Chatway::url( 'assets/images/' ),
                'dashboardUrl'     => Url::admin_url(),
                'fullScreenUrl'    => Url::full_screen_url(),
                'supportURL'       => \Chatway::support_url(),
                'internalEndpoint' => Url::internal_api(),
                'remoteEndpoint'   => Url::remote_api(),
                'landingPage'      => Url::landing_page(),
                "termsOfService"   => Url::terms_of_service(),
                "privacyPolicy"    => Url::privacy_policy(),
                'token'            => get_option( 'chatway_token', '' ),
                'siteUrl'          => get_site_url(),
            ] 
        );
    } 
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/chatway-live-chat/1.4.8/app/Assets.php /home/deploy/wp-safety.org/data/plugin-versions/chatway-live-chat/1.4.9/app/Assets.php
--- /home/deploy/wp-safety.org/data/plugin-versions/chatway-live-chat/1.4.8/app/Assets.php	2026-05-12 04:37:12.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/chatway-live-chat/1.4.9/app/Assets.php	2026-05-13 04:27:44.000000000 +0000
@@ -91,7 +91,11 @@
     public function enqueue_admin_assets() {
         /**
          * prepare dynamic dependencies 
-         */ 
+         */
+        if (!current_user_can('manage_options')) {
+            return;
+        }
+
         $file_path = \Chatway::require( 'assets/js/app.asset.php', true );
         if( file_exists( $file_path ) ) {
             $file = require $file_path;
@@ -122,7 +126,6 @@
                     'landingPage'      => Url::landing_page(),
                     "termsOfService"   => Url::terms_of_service(),
                     "privacyPolicy"    => Url::privacy_policy(),
-                    'token'            => get_option( 'chatway_token', '' ),
                     'siteUrl'          => get_site_url(),
                 ] 
             );

Exploit Outline

1. Authentication: Log into the WordPress site as a user with Subscriber-level access or higher. 2. Access Dashboard: Navigate to any admin page (e.g., /wp-admin/profile.php) to trigger the `admin_enqueue_scripts` hook. 3. Identify Localized Script: Inspect the HTML source code of the page for a `<script>` tag with the ID `chatway-app-js-extra`. 4. Extract Token: Locate the `token` key within the `chatway` JavaScript object. The value assigned to this key is the site's sensitive Chatway API token.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.