How is CVE-2026-49082 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS. Authentication (required): Any low-privilege subscriber-level WordPress account is sufficient; no administrative credentials are needed. Victim interaction (not-required): No action by another user or administrator is needed to trigger the exposure. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors need to align.

What is the impact of CVE-2026-49082?

An attacker reads sensitive data handled by the Chatway Live Chat plugin, which may include chat transcripts, visitor contact details, or support ticket contents. An attacker modifies plugin-managed data, such as altering chat records or support entries stored by the plugin. The plugin's live chat or helpdesk functionality can be partially disrupted, degrading availability for end users relying on the support channel.

Back to search

HIGHCVE-2026-49082Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49082: WordPress Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons plugin <= 1.4.8 - Sensitive Data Exposure vulnerability

Q: What is CVE-2026-49082?

This is a sensitive data exposure vulnerability in the Chatway Live Chat WordPress plugin (versions 1.4.8 and earlier). The flaw is reachable over the network by any authenticated user holding a low-privilege subscriber account, with no victim interaction required. Successful exploitation allows an attacker to read, modify, and partially disrupt sensitive data managed by the plugin. No fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-49082 patched?

No fix version has been published for this CVE. HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention.

Subscriber Sensitive Data Exposure in Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 versions.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sensitive data exposure vulnerability in the Chatway Live Chat WordPress plugin (versions 1.4.8 and earlier). The flaw is reachable over the network by any authenticated user holding a low-privilege subscriber account, with no victim interaction required. Successful exploitation allows an attacker to read, modify, and partially disrupt sensitive data managed by the plugin. No fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Chatway Live Chat plugin. Any image carrying plugin version 1.4.8 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.4 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy to reflect local risk tolerances. Triage alerts are routable to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

No fix version has been published for this CVE. HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS.
AuthenticationRequired
Any low-privilege subscriber-level WordPress account is sufficient; no administrative credentials are needed.
Victim interactionNot required
No action by another user or administrator is needed to trigger the exposure.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors need to align.

Blast Radius

An attacker reads sensitive data handled by the Chatway Live Chat plugin, which may include chat transcripts, visitor contact details, or support ticket contents.
An attacker modifies plugin-managed data, such as altering chat records or support entries stored by the plugin.
The plugin's live chat or helpdesk functionality can be partially disrupted, degrading availability for end users relying on the support channel.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for any customer image containing the Chatway Live Chat plugin at version 1.4.8 or earlier, with no configuration required. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle. In the interim, compensating controls worth considering include network-policy isolation that restricts which roles or IP ranges can reach the affected plugin endpoints, egress filtering on the WordPress container to limit data exfiltration paths, and disabling the plugin entirely if live chat functionality is not actively required. The moment an upstream patch is published, a patched-image rebuild becomes available on HarborGuard; for customers with auto-remediation enabled, a rebuilt image, regression test run, and pull request against affected workloads will be triggered automatically.

See how HarborGuard automates this

Affected packages

Chatway Live Chat / Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons
≤ 1.4.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified