CVE-2024-13646
Published: 30 January 2025
Description
The Single-user-chat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the 'single_user_chat_update_login' function in all versions up to, and including, 0.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update option values to 'login' on the WordPress site. This may be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
Security Summary
CVE-2024-13646 affects the Single-user-chat plugin for WordPress, specifically due to insufficient validation in the 'single_user_chat_update_login' function across all versions up to and including 0.5. This flaw enables unauthorized modification of data, which can result in a denial of service. The vulnerability is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-285 (Improper Authorization).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By calling the affected function, they can update WordPress option values to 'login', potentially triggering site errors that deny service to legitimate users or enabling settings such as registration by setting certain values to true.
Advisories from sources like Wordfence detail the vulnerability in their threat intelligence report, while the plugin's source code at line 326 in single-user-chat.php highlights the insufficient validation in the trac repository. No specific patch information is detailed in the available references, but security practitioners should update to a patched version if available or disable the plugin.
Details
- CWE(s)