Essential Chat Support WordPress Plugin Authorization Bypass Vulnerability Allowing Unauthenticated Settings Reset

A vulnerability exists in the Essential Chat Support plugin for WordPress, in all versions up to and including 1.0.1. The issue stems from the plugin's failure to properly verify user authorization for certain actions. This flaw enables unauthenticated attackers to reset all plugin configuration settings—such as general settings, display rules, custom CSS, and WooCommerce tab settings—to their default values. The reset is achieved by sending a POST request with the 'ecs_reset_settings' parameter set to 1.

Impact

Exploitation of this vulnerability allows for an unauthorized reset of all plugin settings to their default values, potentially disrupting customized configurations and user experiences.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress site with the 'ecs_reset_settings' parameter set to 1. This can be done using a tool like cURL or Postman, or through a simple script that targets the site's WordPress installation.