CVE-2021-24997: 
WordPress vulnerability analysis and mitigation

The WP Guppy WordPress plugin, a live chat solution, was found to contain a security vulnerability (CVE-2021-24997) affecting versions before 1.3. The vulnerability was discovered by Keyvan Hardani and publicly disclosed on November 22, 2021. The issue stems from missing authorization controls in certain REST API endpoints of the plugin (WPScan, MITRE).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS score of 7.5 (High). The security flaw exists in the REST API endpoints of the WP Guppy plugin, where the lack of proper authorization controls allows any user to make API calls. The affected endpoints include user listing, message sending, and chat history retrieval functionalities (WPScan).

The vulnerability could lead to sensitive information disclosure, including exposure of usernames and private chat conversations between users. Additionally, attackers could exploit this flaw to send messages as arbitrary users, potentially leading to impersonation and unauthorized communication (WPScan).

The vulnerability was fixed in version 1.3 of the WP Guppy plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan).