The FrescoChat Live Chat plugin is affected by a Cross‑Site Request Forgery vulnerability that allows an attacker to store malicious script in user input, leading to Stored XSS. This weakness arises from improper validation of CSRF tokens combined with insufficient output escaping, and is listed as CWE‑352. An attacker who can perform a CSRF request to the plugin can inject a script that will execute in the context of any user who later views the affected content, giving the attacker the ability to hijack sessions, deface pages, or exfiltrate sensitive data.

Sodena’s FrescoChat Live Chat widget, versions up to and including 3.2.6, is impacted. Users running any 3.2.6 or earlier deployment are vulnerable.

The configuration relevant to the CVSS score of 7.1 indicates moderate to high severity. The EPSS score of < 1% suggests that the likelihood of exploitation is currently low, and the vulnerability is not listed in CISA KEV. Nonetheless, the attack vector is likely remote, as CSRF can be triggered from a malicious website or link. Successful exploitation would grant the attacker persistent client‑side code execution on any user who visits the compromised site, potentially resulting in data theft, session hijacking, and content injection.