– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-6792:
The vulnerability is an unauthenticated information disclosure in the One to one user Chat by WPGuppy WordPress plugin, affecting versions up to and including 1.1.4. The flaw resides in the plugin’s REST API endpoint for channel authorization, allowing attackers to intercept private chat messages without authentication. The CVSS score of 5.3 reflects a moderate severity issue primarily concerning confidentiality.

The root cause is a missing capability check on the `/wp-json/guppylite/v2/channel-authorize` REST endpoint. In the vulnerable code within `/wpguppy-lite/includes/class-wp-guppy-rest-api.php`, the `registerRestRoutes()` function (lines 213-217) registers this endpoint with a `permission_callback` set to `’__return_true’`. This configuration permits any unauthenticated user to access the endpoint’s callback function, `guppyChannelAuthorize()`. The function subsequently processes requests to authorize Pusher channels for real-time chat, which can expose sensitive channel and user data.

Exploitation involves sending a POST request to the vulnerable REST endpoint. An attacker crafts a request to `/wp-json/guppylite/v2/channel-authorize` with parameters required by the `guppyChannelAuthorize()` function. By manipulating parameters such as `channel_name` or `socket_id`, an attacker can obtain authorization tokens or subscribe to chat channels belonging to other users. This allows interception of private message streams in real-time, effectively eavesdropping on conversations.

The patch addresses the vulnerability by replacing the permissive `’__return_true’` permission callback with `[&$this, ‘guppyAuthentications’]` for the `channel-authorize` endpoint. This change is visible in the diff at line 220. The `guppyAuthentications()` function validates the user’s authentication token before granting access. The patch ensures the endpoint enforces the same authentication checks applied to other sensitive plugin endpoints, such as `load-guppy-users` and `load-guppy-chat`.

Successful exploitation leads to unauthorized access to private chat data. Attackers can view real-time messages exchanged between users, potentially exposing sensitive personal information, confidential discussions, or business communications. The impact is a direct breach of chat confidentiality, violating user privacy expectations. While the vulnerability does not permit message modification or deletion, the information disclosure risk is significant for platforms using this plugin for private communications.