Description
Cross-Site Request Forgery (CSRF) vulnerability in César Martín TOCHAT.BE tochat-be allows Cross Site Request Forgery.This issue affects TOCHAT.BE: from n/a through <= 1.3.4.
Published: 2025-09-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the TOCHAT.BE WordPress plugin enables an attacker to cause a logged‑in user to perform actions automatically without their intent, potentially tampering with chat settings or configuration. The weakness is a classic CSRF (CWE‑352) and carries a CVSS base score of 4.3, indicating a low‑to‑moderate severity.

Affected Systems

The vulnerability is present in all published releases of the TOCHAT.BE plugin from the initial version through version 1.3.4, including all intervening builds. The affected vendor is César Martín, and the product is the TOCHAT.BE WordPress plugin.

Risk and Exploitability

The EPSS score is below 1 % and the issue is not currently listed as a Known Exploited Vulnerability in the CISA KEV catalog, suggesting that active exploitation is unlikely at present. However, the flaw can be leveraged by embedding a malicious form or link into an external site that the user visits while authenticated, leading to the execution of unintended plugin operations. The lack of a proper anti‑CSRF token or nonce creates a clear attack path for active threat actors with minimal effort.

Generated by OpenCVE AI on April 30, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TOCHAT.BE plugin to a version that removes the CSRF flaw (e.g., 1.3.5 or later).
  • Ensure that all forms and AJAX requests generated by TOCHAT.BE include a nonce verification token so that forged requests are rejected.
  • Limit the plugin’s exposure to authenticated users only, disabling any functionality that can be triggered by a browser request from an unauthenticated context.

Generated by OpenCVE AI on April 30, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30715 Cross-Site Request Forgery (CSRF) vulnerability in César Martín TOCHAT.BE allows Cross Site Request Forgery. This issue affects TOCHAT.BE: from n/a through 1.3.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in César Martín TOCHAT.BE allows Cross Site Request Forgery. This issue affects TOCHAT.BE: from n/a through 1.3.4. Cross-Site Request Forgery (CSRF) vulnerability in César Martín TOCHAT.BE tochat-be allows Cross Site Request Forgery.This issue affects TOCHAT.BE: from n/a through <= 1.3.4.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Tochat Be
Tochat Be tochat Be
Wordpress
Wordpress wordpress
Vendors & Products Tochat Be
Tochat Be tochat Be
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in César Martín TOCHAT.BE allows Cross Site Request Forgery. This issue affects TOCHAT.BE: from n/a through 1.3.4.
Title WordPress TOCHAT.BE Plugin <= 1.3.4 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Tochat Be Tochat Be
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:38.010Z

Reserved: 2025-08-22T11:36:12.720Z

Link: CVE-2025-57915

cve-icon Vulnrichment

Updated: 2025-09-23T16:17:40.009Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:47.917

Modified: 2026-04-23T15:33:01.440

Link: CVE-2025-57915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:30:29Z

Weaknesses