Description
Cross-Site Request Forgery (CSRF) vulnerability in freshchat Freshchat freshchat allows Cross Site Request Forgery.This issue affects Freshchat: from n/a through <= 2.3.4.
Published: 2025-12-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery (CSRF) flaw exists in Freshchat plugin versions up to 2.3.4. The weakness, classified as CWE‑352, allows an attacker to trick a logged‑in user into submitting malicious requests that the plugin will process without proper verification, potentially enabling the attacker to perform unauthorized actions on the site. The impact can range from data alteration to other sensitive operations, depending on the capabilities granted to the affected user session.

Affected Systems

The vulnerability affects the Freshchat WordPress plugin, with all releases up to and including version 2.3.4 impacted. Any WordPress installation that has this plugin installed and has users who may be logged in during a CSRF attack is subject to risk.

Risk and Exploitability

The CVSS v3 base score of 4.3 signals moderate severity. The EPSS score of <1% indicates the measured likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation. Likely exploitation would involve a malicious webpage carefully crafted to send requests that exploit the attacker’s discovery of the victim’s authenticated session, thereby triggering the unwanted action on the Freshchat plugin.

Generated by OpenCVE AI on April 29, 2026 at 12:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Freshchat plugin to a version newer than 2.3.4 as released by the vendor.
  • If a patch is not immediately available, disable the plugin’s public endpoints or restrict access to users with the administrator role until the vulnerability is fixed.
  • Implement or verify existing WordPress cross‑site request forgery protection (nonce usage) on all forms and actions exposed by the plugin to impede unauthorized submissions.

Generated by OpenCVE AI on April 29, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in freshchat Freshchat freshchat allows Cross Site Request Forgery.This issue affects Freshchat: from n/a through <= 2.3.4.
Title WordPress Freshchat plugin <= 2.3.4 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:27:19.039Z

Reserved: 2025-10-29T03:08:12.203Z

Link: CVE-2025-64240

cve-icon Vulnrichment

Updated: 2025-12-16T20:51:52.837Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:53.517

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:30:10Z

Weaknesses