[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwhAQdSh91lS6gezJsIUQhfT3jpcYOdULyriTen5jUZQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-49082","chatway-live-chat-ai-chatbot-customer-support-faq-helpdesk-customer-service-chat-buttons-authenticated-subscriber-inform","Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons \u003C= 1.4.8 - Authenticated (Subscriber+) Information Exposure","The Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.","chatway-live-chat",null,"\u003C=1.4.8","1.4.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-05 00:00:00","2026-06-10 17:40:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F16429860-d2a6-4b08-b2da-012ec2d4e2c3?source=api-prod",6,[22,23,24,25,26,27,28,29],"app\u002FAssets.php","app\u002FExternalApi.php","app\u002FUser.php","assets\u002Fjs\u002Fapp.asset.php","assets\u002Fjs\u002Fapp.js","chatway.php","languages\u002Fchatway.pot","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-49082 (Chatway Information Exposure)\n\n## 1. Vulnerability Summary\nThe **Chatway Live Chat** plugin for WordPress (versions \u003C= 1.4.8) is vulnerable to **Sensitive Information Exposure**. The plugin enqueues administrative JavaScript assets on every admin page for all authenticated users, including those with low privileges like **Subscribers**. During this process, it uses `wp_localize_script` to export internal configuration settings—most notably the **Chatway API Token** (`chatway_token`)—into the global JavaScript context of the page. \n\nAn attacker with Subscriber-level access can log into the WordPress dashboard (e.g., to manage their profile) and extract the site's Chatway authentication token from the page source, allowing them to potentially interact with the Chatway remote API as the site owner.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any WordPress admin page (e.g., `\u002Fwp-admin\u002Fprofile.php`).\n*   **Hook:** `admin_enqueue_scripts` (triggered globally in the admin area).\n*   **Vulnerable Function:** `Chatway\\App\\Assets::enqueue_admin_assets()`.\n*   **Authentication:** Authenticated (Subscriber+).\n*   **Payload Location:** The HTML source code of the admin page, specifically within a `\u003Cscript>` block containing the `chatway` JavaScript object.\n\n## 3. Code Flow\n1.  **Hook Registration:** In `app\u002FAssets.php`, the `__construct` method registers the `enqueue_admin_assets` method to the `admin_enqueue_scripts` action:\n    ```php\n    add_action( 'admin_enqueue_scripts', [$this, 'enqueue_admin_assets'] );\n    ```\n2.  **Lack of Authorization:** The `enqueue_admin_assets` function does not check for user capabilities (e.g., `current_user_can('manage_options')`). It executes for any user capable of accessing `wp-admin`.\n3.  **Data Localization:** Inside `enqueue_admin_assets`, the plugin retrieves the sensitive token from the database and passes it to the frontend:\n    ```php\n    \u002F\u002F app\u002FAssets.php: line 103-116\n    wp_localize_script(\n        'chatway-app', 'chatway', [\n            \u002F\u002F ...\n            'token'            => get_option( 'chatway_token', '' ),\n            'siteUrl'          => get_site_url(),\n        ] \n    );\n    ```\n4.  **Information Exposure:** WordPress renders this data into the HTML as:\n    ```html\n    \u003Cscript id=\"chatway-app-js-extra\">\n    var chatway = {\"token\":\"[SENSITIVE_TOKEN]\",\"siteUrl\":\"...\"};\n    \u003C\u002Fscript>\n    ```\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is an **Information Exposure**, not a state-changing operation (like an exploit for CSRF or SQLi). Therefore, **no nonce is required** to trigger the exposure. The attacker only needs a valid session cookie for a Subscriber-level user to access the admin area.\n\n## 5. Exploitation Strategy\nThe goal is to log in as a Subscriber and extract the `chatway.token` value from the admin dashboard.\n\n### Step-by-Step Plan:\n1.  **Authentication:** Log into the WordPress instance using Subscriber credentials.\n2.  **Request:** Use the `http_request` tool to perform a GET request to `\u002Fwp-admin\u002Fprofile.php`.\n3.  **Extraction:**\n    *   Parse the response body.\n    *   Identify the script block containing `var chatway =`.\n    *   Extract the value of the `token` key.\n\n### Payload Details:\n*   **Method:** `GET`\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fprofile.php`\n*   **Cookies:** Valid WordPress authentication cookies for a Subscriber.\n*   **Expected Response:** A `200 OK` status with HTML containing the localized `chatway` object.\n\n## 6. Test Data Setup\nTo verify the exposure, the environment must have a token configured:\n1.  **Set Token:** `wp option update chatway_token \"CHATWAY-API-SECRET-TOKEN-999\"`\n2.  **Create Attacker:** `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3.  **Plugin State:** Ensure the plugin is active and `assets\u002Fjs\u002Fapp.asset.php` exists (it is part of the default installation).\n\n## 7. Expected Results\nUpon visiting `\u002Fwp-admin\u002Fprofile.php` as the `attacker` user, the response HTML should contain the following string (or similar JSON structure):\n`\"token\":\"CHATWAY-API-SECRET-TOKEN-999\"`\n\n## 8. Verification Steps\nAfter performing the HTTP request:\n1.  **Manual Verification:** Check the output of the `http_request` for the token string.\n2.  **Comparison:** Use WP-CLI to confirm the extracted token matches the value in the database:\n    `wp option get chatway_token`\n\n## 9. Alternative Approaches\n### Frontend Exposure\nThe plugin also exposes the `userId` and `emailId` of the current user on the **frontend** via `wp_localize_script('chatway-script', 'wpChatwaySettings', ...)` in `enqueue_chatway()`.\n*   **Target:** The site homepage or any public post.\n*   **Extracted Data:** `wpChatwaySettings.emailId` and `wpChatwaySettings.userId`.\n*   **Significance:** This allows any logged-in user to see their own data reflected in JS, but more importantly, it confirms the plugin's behavior of enqueuing user data without strict filtering.\n\n### Identity Verification Token\nIf the `chatway_secret_key` is set, `enqueue_chatway()` also exposes an HMAC `token` in `wpChatwaySettings`. While this token is specific to the current user's email\u002FID, capturing it is the first step in analyzing if the signature generation is predictable or if the secret key can be recovered via other exposures.","The Chatway Live Chat plugin exposes the sensitive `chatway_token` API key to all authenticated users by localizing it into a global JavaScript object on every administrative page. A Subscriber-level user can log into the WordPress dashboard and extract this token from the page source, enabling them to potentially impersonate the site owner in communications with the remote Chatway API.","\u002F\u002F app\u002FAssets.php (starting around line 91)\npublic function enqueue_admin_assets() {\n    \u002F**\n     * prepare dynamic dependencies \n     *\u002F \n    $file_path = \\Chatway::require( 'assets\u002Fjs\u002Fapp.asset.php', true );\n    if( file_exists( $file_path ) ) {\n        $file = require $file_path;\n        $version = $file['version'];\n        $dependencies = $file['dependencies'];\n        $dependencies[] = 'jquery';\n\n        \u002F**\n         * enqueue admin assets \n         *\u002F \n        wp_enqueue_style( 'chatway-fonts', \\Chatway::url( 'assets\u002Fcss\u002Ffonts.css' ), [], \\Chatway::version(), false );\n        wp_enqueue_script(\n            'chatway-app', \\Chatway::url( 'assets\u002Fjs\u002Fapp.js' ), $dependencies, $version, [\n                'in_footer' => true,\n                'strategy'  => 'defer'\n            ] \n        );\n        wp_enqueue_style( 'chatway-app', \\Chatway::url( 'assets\u002Fcss\u002Fapp.css' ), [], $dependencies, false );\n\n        wp_localize_script(\n            'chatway-app', 'chatway', [\n                'images'           => \\Chatway::url( 'assets\u002Fimages\u002F' ),\n                'dashboardUrl'     => Url::admin_url(),\n                'fullScreenUrl'    => Url::full_screen_url(),\n                'supportURL'       => \\Chatway::support_url(),\n                'internalEndpoint' => Url::internal_api(),\n                'remoteEndpoint'   => Url::remote_api(),\n                'landingPage'      => Url::landing_page(),\n                \"termsOfService\"   => Url::terms_of_service(),\n                \"privacyPolicy\"    => Url::privacy_policy(),\n                'token'            => get_option( 'chatway_token', '' ),\n                'siteUrl'          => get_site_url(),\n            ] \n        );\n    } \n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatway-live-chat\u002F1.4.8\u002Fapp\u002FAssets.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatway-live-chat\u002F1.4.9\u002Fapp\u002FAssets.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatway-live-chat\u002F1.4.8\u002Fapp\u002FAssets.php\t2026-05-12 04:37:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fchatway-live-chat\u002F1.4.9\u002Fapp\u002FAssets.php\t2026-05-13 04:27:44.000000000 +0000\n@@ -91,7 +91,11 @@\n     public function enqueue_admin_assets() {\n         \u002F**\n          * prepare dynamic dependencies \n-         *\u002F \n+         *\u002F\n+        if (!current_user_can('manage_options')) {\n+            return;\n+        }\n+\n         $file_path = \\Chatway::require( 'assets\u002Fjs\u002Fapp.asset.php', true );\n         if( file_exists( $file_path ) ) {\n             $file = require $file_path;\n@@ -122,7 +126,6 @@\n                     'landingPage'      => Url::landing_page(),\n                     \"termsOfService\"   => Url::terms_of_service(),\n                     \"privacyPolicy\"    => Url::privacy_policy(),\n-                    'token'            => get_option( 'chatway_token', '' ),\n                     'siteUrl'          => get_site_url(),\n                 ] \n             );","1. Authentication: Log into the WordPress site as a user with Subscriber-level access or higher.\n2. Access Dashboard: Navigate to any admin page (e.g., \u002Fwp-admin\u002Fprofile.php) to trigger the `admin_enqueue_scripts` hook.\n3. Identify Localized Script: Inspect the HTML source code of the page for a `\u003Cscript>` tag with the ID `chatway-app-js-extra`.\n4. Extract Token: Locate the `token` key within the `chatway` JavaScript object. The value assigned to this key is the site's sensitive Chatway API token.","gemini-3-flash-preview","2026-06-26 04:31:21","2026-06-26 04:32:18",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.4.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fchatway-live-chat\u002Ftags\u002F1.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fchatway-live-chat.1.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fchatway-live-chat\u002Ftags\u002F1.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fchatway-live-chat.1.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fchatway-live-chat\u002Ftags"]