Platform
wordpress
Component
freshchat
Opgelost in
2.3.5
CVE-2025-64240 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Freshchat WordPress plugin. This vulnerability allows an attacker to trick a user into performing actions they didn't intend, potentially leading to unauthorized modifications or data exposure within the Freshchat environment. The vulnerability impacts versions from 0.0.0 up to and including 2.3.4, and a patch is available in version 2.3.5.
A successful CSRF attack could allow an attacker to modify Freshchat configurations, access or delete customer data, or perform other administrative actions as the logged-in user. The impact is directly tied to the privileges of the user being targeted. For instance, an administrator account compromised via CSRF could grant the attacker full control over the Freshchat instance and potentially the broader WordPress site. This vulnerability highlights the importance of proper CSRF protection mechanisms within web applications, especially those handling sensitive user data.
CVE-2025-64240 was publicly disclosed on 2025-12-16. No public proof-of-concept (PoC) code has been identified as of this writing. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress sites utilizing the Freshchat plugin, particularly those with administrator accounts that are frequently targeted or have weak password policies, are at increased risk. Shared hosting environments where multiple WordPress installations share the same server resources are also more vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'freshchat_settings_update' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-freshchat-site.com/wp-admin/admin-ajax.php?action=freshchat_settings_update&setting_name=some_setting&setting_value=some_value -vdisclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade the Freshchat WordPress plugin to version 2.3.5 or later, which contains the fix. If immediate upgrading is not possible, implement temporary mitigations such as enabling a Web Application Firewall (WAF) with CSRF protection rules. Additionally, enforce strict user input validation and consider implementing double opt-in for sensitive actions within Freshchat. Regularly review Freshchat configurations and user permissions to identify and address any potential vulnerabilities. After upgrading, confirm the fix by attempting a CSRF attack against a test user account and verifying that the action is blocked.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te zoeken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-64240 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Freshchat WordPress plugin versions 0.0.0–2.3.4, allowing attackers to perform unauthorized actions.
You are affected if you are using Freshchat WordPress plugin versions 0.0.0 through 2.3.4. Upgrade to 2.3.5 or later to mitigate the risk.
Upgrade the Freshchat WordPress plugin to version 2.3.5 or later. Implement WAF rules and user input validation as temporary mitigations.
No active exploitation has been confirmed as of this writing, but it's crucial to apply the patch promptly.
Refer to the Freshchat official website and WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.