CVE-2021-24997

MEDIUM NUCLEI

WP Guppy WordPress <1.3 - Info Disclosure

Title source: llm

Description

The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user

Nuclei Templates (1)

WordPress Guppy <=1.1 - Information Disclosure

MEDIUMby Evan Rubinstein

References (2)

[Exploit, Third Party Advisory] https://github.com/Keyvanhardani/WP-Guppy-A-live-chat-WP-JSON-API-Sensitive-Information-Disclosure

View Exploit ZIP pw:eip

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/747e6c7e-a167-4d82-b6e6-9e8613f0e900

Scores

CVSS v3 6.5

EPSS 0.0458

EPSS Percentile 89.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-862

Status published

Products (1)

wp-guppy/wp_guppy < 1.3

Published Dec 27, 2021

Tracked Since Feb 18, 2026