CVE-2025-31596: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Chatwee Chat by Chatwee plugin affecting versions through 2.1.3. The vulnerability was disclosed on March 31, 2025, and allows exploitation of incorrectly configured access control security levels (Patchstack, NVD).

The vulnerability is classified as a broken access control issue, which stems from missing authorization, authentication, or nonce token checks in certain functions. This allows unprivileged users to execute higher privileged actions. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The minimum required privilege level to exploit this vulnerability is Subscriber (Patchstack).

The vulnerability has been assessed as having a low severity impact. It primarily affects access control mechanisms within the plugin, potentially allowing unauthorized users to perform actions beyond their intended privilege level (Patchstack).

No official fix is available for this vulnerability as the software appears to be abandoned. The recommended mitigation strategy is to remove and replace the Chat by Chatwee plugin with an alternative solution (Patchstack).