What happened
Chatway Live Chat, a WordPress plugin providing AI chatbot, live chat, and customer support functionality, contains a sensitive data exposure vulnerability in versions up to and including 1.4.8. Published June 15, 2026 (CVSS 7.4 HIGH). Subscriber-level users can access sensitive data they should not be authorized to view.
Why it matters
AI chatbots deployed in customer support contexts routinely handle PII (names, emails, order details), conversation histories, and may store or proxy API keys for backend AI services. Exposure of this data to low-privileged users violates customer privacy, may breach GDPR/data protection obligations, and can enable API key theft for unauthorized AI service usage.
Attack vector
An authenticated user with Subscriber-level privileges (the lowest WordPress role, easily obtained by self-registration on most sites) exploits insufficient access control in the plugin's data retrieval endpoints to access sensitive data outside their authorization scope.
Affected systems
Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk ≤ 1.4.8
Mitigation
Update Chatway Live Chat to version 1.4.9 or later. Advisory: https://patchstack.com/database/wordpress/plugin/chatway-live-chat/vulnerability/wordpress-chatway-live-chat-ai-chatbot-customer-support-faq-helpdesk-customer-service-chat-buttons-plugin-1-4-8-sensitive-data-exposure-vulnerability