Plattform
wordpress
Komponente
freshchat
Behoben in
2.3.5
CVE-2025-64240 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Freshchat WordPress plugin. This vulnerability allows an attacker to trick a user into performing actions they didn't intend, potentially leading to unauthorized modifications or data exposure within the Freshchat environment. The vulnerability impacts versions from 0.0.0 up to and including 2.3.4, and a patch is available in version 2.3.5.
A successful CSRF attack could allow an attacker to modify Freshchat configurations, access or delete customer data, or perform other administrative actions as the logged-in user. The impact is directly tied to the privileges of the user being targeted. For instance, an administrator account compromised via CSRF could grant the attacker full control over the Freshchat instance and potentially the broader WordPress site. This vulnerability highlights the importance of proper CSRF protection mechanisms within web applications, especially those handling sensitive user data.
CVE-2025-64240 was publicly disclosed on 2025-12-16. No public proof-of-concept (PoC) code has been identified as of this writing. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress sites utilizing the Freshchat plugin, particularly those with administrator accounts that are frequently targeted or have weak password policies, are at increased risk. Shared hosting environments where multiple WordPress installations share the same server resources are also more vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'freshchat_settings_update' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-freshchat-site.com/wp-admin/admin-ajax.php?action=freshchat_settings_update&setting_name=some_setting&setting_value=some_value -vdisclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the Freshchat WordPress plugin to version 2.3.5 or later, which contains the fix. If immediate upgrading is not possible, implement temporary mitigations such as enabling a Web Application Firewall (WAF) with CSRF protection rules. Additionally, enforce strict user input validation and consider implementing double opt-in for sensitive actions within Freshchat. Regularly review Freshchat configurations and user permissions to identify and address any potential vulnerabilities. After upgrading, confirm the fix by attempting a CSRF attack against a test user account and verifying that the action is blocked.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle im Detail und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64240 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Freshchat WordPress plugin versions 0.0.0–2.3.4, allowing attackers to perform unauthorized actions.
You are affected if you are using Freshchat WordPress plugin versions 0.0.0 through 2.3.4. Upgrade to 2.3.5 or later to mitigate the risk.
Upgrade the Freshchat WordPress plugin to version 2.3.5 or later. Implement WAF rules and user input validation as temporary mitigations.
No active exploitation has been confirmed as of this writing, but it's crucial to apply the patch promptly.
Refer to the Freshchat official website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.