github · Vendetaaaa · May 16, 2026
diff --git a/advisories/unreviewed/2026/05/GHSA-4fcc-vrwx-v754/GHSA-4fcc-vrwx-v754.json b/advisories/unreviewed/2026/05/GHSA-4fcc-vrwx-v754/GHSA-4fcc-vrwx-v754.json
@@ -1,19 +1,43 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4fcc-vrwx-v754",
-  "modified": "2026-05-16T03:31:27Z",
+  "modified": "2026-05-16T03:31:38Z",
   "published": "2026-05-16T03:31:27Z",
   "aliases": [
     "CVE-2026-8681"
   ],
-  "details": "The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings — including general settings, display rules, custom CSS, and WooCommerce tab settings — to their defaults by sending a POST request with ecs_reset_settings=1.",
+  "summary": "Missing Authorization for Configuration Reset in Essential Chat Support Plugin for WordPress",
+  "details": "### Summary\nThe Essential Chat Support plugin for WordPress is vulnerable to an authorization bypass in all versions up to, and including, 1.0.1. The flaw resides within its administrative initialization or settings registration hooks (specifically inside `register-settings.php` and `ecs-functions.php`), where the application fails to validate whether an incoming request originates from an authorized administrator or carries a valid anti-cross-site request forgery (CSRF) nonce.\n\n### Impact\nAn unauthenticated remote attacker can issue a direct HTTP `POST` request to the WordPress instance containing the parameter `ecs_reset_settings=1`. Because access validation routines are missing, this action triggers a full settings purge, reverting all configuration values—including general options, behavior display rules, custom user CSS styling, and WooCommerce storefront tab configurations—back to their factory defaults. This can cause interface defacement, loss of active support configurations, and service operational disruption.\n\n### Remediation\nUninstall the plugin or ensure it is updated to a patched version (version **1.0.2** or later) that introduces capability checks (such as `current_user_can('manage_options')`) and nonce token verifications before performing destructive data mutations.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "essential-chat-support"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "= 1.0.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.0.1"
+      }
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",