CVE-2025-68895 MEDIUM

CVE-2025-68895: WordPress AhaChat Messenger Marketing plugin <= 1.1 - Broken Authentication vulnerability

Vendor Ahachat
Product AhaChat Messenger Marketing
Weakness CWE-288
Published February 20, 2026
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in ahachat AhaChat Messenger Marketing ahachat-messenger-marketing allows Password Recovery Exploitation.This issue affects AhaChat Messenger Marketing: from n/a through <= 1.1.

Explanation of Vulnerability in Simple Terms

02Summary

AhaChat Messenger Marketing versions 1.1 and earlier contain an authentication weakness that allows unauthenticated attackers to modify data on affected systems. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 1.1 as soon as a patch becomes available.

What an attacker can do

03Attacker Capabilities

Modify data on the site without logging in.

Potential impact on your site

04Site Impact

Unauthorized changes to site data or messaging content without detection of the attacker's identity.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated