CVE-2025-6792

MEDIUM

WPGuppy plugin <1.1.4 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-6792. PoCs published by jFriedli.

AI-analyzed exploit summary This repository provides a functional exploit for CVE-2025-6792, demonstrating unauthorized subscription to private Pusher channels in a WordPress plugin (likely Guppy Lite). The PoC includes steps to extract credentials, subscribe to a victim's channel, and intercept real-time events.

Description

The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to intercept and view private chat messages between users.

Exploits (1)

nomisec WORKING POC
by jFriedli · poc
https://github.com/jFriedli/CVE-2025-6792

This repository provides a functional exploit for CVE-2025-6792, demonstrating unauthorized subscription to private Pusher channels in a WordPress plugin (likely Guppy Lite). The PoC includes steps to extract credentials, subscribe to a victim's channel, and intercept real-time events.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Guppy Lite WordPress plugin (likely version affected by CVE-2025-6792)
No auth needed
Prerequisites: Access to a vulnerable WordPress instance with Guppy Lite plugin · Pusher credentials (key and cluster) from the target site
devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.3
EPSS 0.0034
EPSS Percentile 26.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-306
Status published
Products (1)
amentotechpvtltd/One to one user Chat by WPGuppy < 1.1.4
Published Feb 14, 2026
Tracked Since Feb 18, 2026