CVE-2024-13646: 
WordPress vulnerability analysis and mitigation

The Single-user-chat plugin for WordPress (versions up to and including 0.5) contains a vulnerability (CVE-2024-13646) that allows unauthorized modification of data potentially leading to denial of service. The vulnerability was discovered and reported by Wordfence on January 30, 2025 (Wordfence Advisory).

The vulnerability stems from insufficient validation in the 'singleuserchatupdatelogin' function. The issue has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The vulnerability is classified under CWE-285 (Improper Authorization) (NVD).

When exploited, this vulnerability allows authenticated attackers with subscriber-level access or higher to update option values to 'login' on the WordPress site. This can be leveraged to create errors that deny service to legitimate users or manipulate certain values to true, such as registration settings (NVD).

Users should upgrade to a version newer than 0.5 when available or consider implementing additional access controls to restrict subscriber-level users from accessing the affected functionality (NVD).