CVE-2026-1253
Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
14th
The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options, including critical settings such as API keys, authentication keys, and layout configurations.
| CWE | CWE-862 |
| Vendor | atomchat |
| Product | group chat & video chat by atomchat |
| Published | Mar 21, 2026 |
| Last Updated | Apr 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for atomchat group chat & video chat by atomchat
Be the first to know when new medium vulnerabilities affecting atomchat group chat & video chat by atomchat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
atomchat / Group Chat & Video Chat by AtomChat
0 โค 1.1.7
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/5c2980c3-0038-42ab-8751-72c40921477a?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/atomchat/trunk/includes/atomchat_requesthandler.php#L175 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/atomchat/tags/1.1.7/includes/atomchat_requesthandler.php#L175
Credits
Nabil Irawan