プラットフォーム
wordpress
コンポーネント
freshchat
修正版
2.3.5
CVE-2025-64240 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Freshchat WordPress plugin. This vulnerability allows an attacker to trick a user into performing actions they didn't intend, potentially leading to unauthorized modifications or data exposure within the Freshchat environment. The vulnerability impacts versions from 0.0.0 up to and including 2.3.4, and a patch is available in version 2.3.5.
A successful CSRF attack could allow an attacker to modify Freshchat configurations, access or delete customer data, or perform other administrative actions as the logged-in user. The impact is directly tied to the privileges of the user being targeted. For instance, an administrator account compromised via CSRF could grant the attacker full control over the Freshchat instance and potentially the broader WordPress site. This vulnerability highlights the importance of proper CSRF protection mechanisms within web applications, especially those handling sensitive user data.
CVE-2025-64240 was publicly disclosed on 2025-12-16. No public proof-of-concept (PoC) code has been identified as of this writing. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress sites utilizing the Freshchat plugin, particularly those with administrator accounts that are frequently targeted or have weak password policies, are at increased risk. Shared hosting environments where multiple WordPress installations share the same server resources are also more vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'freshchat_settings_update' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-freshchat-site.com/wp-admin/admin-ajax.php?action=freshchat_settings_update&setting_name=some_setting&setting_value=some_value -vdisclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade the Freshchat WordPress plugin to version 2.3.5 or later, which contains the fix. If immediate upgrading is not possible, implement temporary mitigations such as enabling a Web Application Firewall (WAF) with CSRF protection rules. Additionally, enforce strict user input validation and consider implementing double opt-in for sensitive actions within Freshchat. Regularly review Freshchat configurations and user permissions to identify and address any potential vulnerabilities. After upgrading, confirm the fix by attempting a CSRF attack against a test user account and verifying that the action is blocked.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-64240 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Freshchat WordPress plugin versions 0.0.0–2.3.4, allowing attackers to perform unauthorized actions.
You are affected if you are using Freshchat WordPress plugin versions 0.0.0 through 2.3.4. Upgrade to 2.3.5 or later to mitigate the risk.
Upgrade the Freshchat WordPress plugin to version 2.3.5 or later. Implement WAF rules and user input validation as temporary mitigations.
No active exploitation has been confirmed as of this writing, but it's crucial to apply the patch promptly.
Refer to the Freshchat official website and WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。