The LiveAgent plugin for WordPress contains a CSRF flaw that permits attackers to forge authenticated requests on behalf of a logged‑in user. By embedding a crafted form or link in a malicious page, a victim can be tricked into initiating actions such as modifying plugin settings or submitting content without their consent, leading to a loss of data integrity for the site. Based on the nature of CSRF, it is inferred that an active authenticated session is required for exploitation.

All WordPress sites that have the qusupport LiveAgent plugin installed in any version from the earliest available through 4.4.7 are potentially vulnerable. Versions newer than 4.4.7 are assumed to have the issue fixed.

The CVSS score of 5.4 indicates a medium severity vulnerability. The EPSS estimate of less than 1% points to a low likelihood of active exploitation at this time, and the flaw is not listed in the CISA KEV catalog. Exploitation is expected to require a victim user to be authenticated to the WordPress site while visiting a malicious or compromised page so that the forged request is automatically sent to the LiveAgent endpoints. Overall, the risk remains moderate but the probability of widespread attacks is considered low.