One to One User Chat by WPGuppy Missing Capability Check Vulnerability Allowing Unauthenticated Data Access

Vulnerability

A vulnerability exists in the One to One User Chat by WPGuppy plugin for WordPress, in all versions through 1.1.4. The issue arises from a missing capability check on the '/wp-json/guppylite/v2/channel-authorize' REST endpoint. This flaw allows unauthenticated attackers to intercept and read private chat messages between users.

Impact

Exploitation of this vulnerability leads to unauthorized access to private chat messages, allowing interception and reading of these messages by unauthenticated users.

Added: Feb 14, 2026, 8:14 AM

Updated: Feb 14, 2026, 8:14 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

One to One User Chat by WPGuppy Missing Capability Check Vulnerability Allowing Unauthenticated Data Access

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating