CVE-2025-46498 - Vulnerability Details

- WordPress Zalo Official Live Chat plugin <= 1.0.0 - Cross Site Request Forgery (CSRF) Vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in nghialuu Zalo Official Live Chat zalo-official-live-chat allows Cross Site Request Forgery.This issue affects Zalo Official Live Chat: from n/a through <= 1.0.0.

Published: 2025-04-24

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A CSRF flaw in the Zalo Official Live Chat plugin allows an attacker to forge authenticated requests on a victim’s behalf, potentially causing unauthorized actions within the WordPress site. The vulnerability is rated with a CVSS score of 5.4, indicating moderate severity, and the description states it affects all versions up to 1.0.0.

Affected Systems

The flaw affects the WordPress plugin Zalo Official Live Chat from vendor nghialuu, versions from n/a through 1.0.0. Site owners using these plugin versions are at risk if users are logged in.

Risk and Exploitability

Because the flaw relies on CSRF, an attacker must convince a logged-in user to visit a malicious link or embed a crafted request; the EPSS score of less than 1% suggests low exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. The risk remains moderate but is confined to scenarios where a target user is authenticated and the plugin’s sensitive actions lack proper CSRF protections.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nghialuu

Zalo Official Live Chat

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Zalo Official Live Chat plugin to the latest version that fixes the CSRF issue.
If an update is unavailable, temporarily disable or remove the plugin until a fix is released.
Add or enforce nonce or token validation on any state-changing plugin actions to prevent CSRF.

Generated by OpenCVE AI on April 30, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-12025	Cross-Site Request Forgery (CSRF) vulnerability in nghialuu Zalo Official Live Chat allows Cross Site Request Forgery. This issue affects Zalo Official Live Chat: from n/a through 1.0.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00177.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/zalo-official-live-chat/vulnerability/wordpress-zalo-official-live-chat-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in nghialuu Zalo Official Live Chat allows Cross Site Request Forgery. This issue affects Zalo Official Live Chat: from n/a through 1.0.0.	Cross-Site Request Forgery (CSRF) vulnerability in nghialuu Zalo Official Live Chat zalo-official-live-chat allows Cross Site Request Forgery.This issue affects Zalo Official Live Chat: from n/a through <= 1.0.0.
Title	WordPress Zalo Official Live Chat <= 1.0.0 - Cross Site Request Forgery (CSRF) Vulnerability	WordPress Zalo Official Live Chat plugin <= 1.0.0 - Cross Site Request Forgery (CSRF) Vulnerability
References	https://patchstack.com/database/wordpress/plugin/zalo-official-live-chat/vulnerability/wordpress-zalo-official-live-chat-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/zalo-official-live-chat/vulnerability/wordpress-zalo-official-live-chat-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Thu, 24 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 24 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in nghialuu Zalo Official Live Chat allows Cross Site Request Forgery. This issue affects Zalo Official Live Chat: from n/a through 1.0.0.
Title		WordPress Zalo Official Live Chat <= 1.0.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/zalo-official-live-chat/vulnerability/wordpress-zalo-official-live-chat-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-24T16:09:27.592Z

Updated: 2026-04-28T16:12:39.242Z

Reserved: 2025-04-24T14:23:02.621Z

Link: CVE-2025-46498

Vulnrichment

Updated: 2025-04-24T19:52:05.389Z

NVD

Status : Deferred

Published: 2025-04-24T16:15:40.643

Modified: 2026-04-23T15:30:07.147

Link: CVE-2025-46498

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T21:00:15Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object