Description
The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-06-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Leakage and Misconfiguration of AI Chat Settings
Action: Apply Patch
AI Analysis

Impact

The Hive Support plugin suffers from a Cross‑Site Request Forgery flaw, identified as CWE‑352, caused by missing or incorrect nonce validation in the hs_update_ai_chat_settings() function. This allows an unauthenticated attacker to craft a forged request that an administrator may execute by clicking a link or visiting a page, leading to unauthorized reconfiguration of the plugin’s AI chat settings, such as API keys. The attacker could then redirect notifications or leak data to attacker‑controlled endpoints. The primary impact is data leakage and potential loss of control over the chat functionality, which could expose sensitive information or allow further exploitation of the site.

Affected Systems

Products affected are Hive Support | AI‑Powered Help Desk, Live Chat & AI Chat Bot plugin for WordPress, all versions up to and including 1.2.5. Any WordPress installation using these plugin versions and the associated admin AJAX endpoint is vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated site administrator to unknowingly execute a crafted request, making it a user‑interaction dependent CSRF attack. While the risk is moderate, the potential for data exfiltration motivates prompt remediative action.

Generated by OpenCVE AI on April 22, 2026 at 04:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hive Support plugin to the latest version (1.2.6 or later) to restore proper nonce validation in hs_update_ai_chat_settings().
  • Disable the hs_update_ai_chat_settings AJAX action or restrict it to properly authenticated requests only.
  • If patching or disabling is not immediately possible, configure a firewall rule or security plugin to block unauthenticated AJAX requests to the plugin’s admin URLs until the issue is resolved.

Generated by OpenCVE AI on April 22, 2026 at 04:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17081 The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Hive Support <= 1.2.4 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function Hive Support <= 1.2.5 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function
References

Fri, 06 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Hive Support <= 1.2.4 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:16.318Z

Reserved: 2025-05-20T22:32:39.398Z

Link: CVE-2025-5019

cve-icon Vulnrichment

Updated: 2025-06-06T15:43:41.401Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T07:15:28.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses