Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Unauthorized access to private chat messages in WPGuppy plugin
CVE-2025-6792
Summary
The WPGuppy plugin for WordPress allows unauthorized users to view private chat messages. This is because the plugin doesn't properly check who is making requests to its internal API. To fix this, update the plugin to version 1.1.5 or later to ensure only authorized users can access private chat messages.
Original title
The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint ...
Original description
The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to intercept and view private chat messages between users.
nvd CVSS3.1
5.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026