Plataforma
wordpress
Componente
freshchat
Corrigido em
2.3.5
CVE-2025-64240 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Freshchat WordPress plugin. This vulnerability allows an attacker to trick a user into performing actions they didn't intend, potentially leading to unauthorized modifications or data exposure within the Freshchat environment. The vulnerability impacts versions from 0.0.0 up to and including 2.3.4, and a patch is available in version 2.3.5.
A successful CSRF attack could allow an attacker to modify Freshchat configurations, access or delete customer data, or perform other administrative actions as the logged-in user. The impact is directly tied to the privileges of the user being targeted. For instance, an administrator account compromised via CSRF could grant the attacker full control over the Freshchat instance and potentially the broader WordPress site. This vulnerability highlights the importance of proper CSRF protection mechanisms within web applications, especially those handling sensitive user data.
CVE-2025-64240 was publicly disclosed on 2025-12-16. No public proof-of-concept (PoC) code has been identified as of this writing. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress sites utilizing the Freshchat plugin, particularly those with administrator accounts that are frequently targeted or have weak password policies, are at increased risk. Shared hosting environments where multiple WordPress installations share the same server resources are also more vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'freshchat_settings_update' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-freshchat-site.com/wp-admin/admin-ajax.php?action=freshchat_settings_update&setting_name=some_setting&setting_value=some_value -vdisclosure
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade the Freshchat WordPress plugin to version 2.3.5 or later, which contains the fix. If immediate upgrading is not possible, implement temporary mitigations such as enabling a Web Application Firewall (WAF) with CSRF protection rules. Additionally, enforce strict user input validation and consider implementing double opt-in for sensitive actions within Freshchat. Regularly review Freshchat configurations and user permissions to identify and address any potential vulnerabilities. After upgrading, confirm the fix by attempting a CSRF attack against a test user account and verifying that the action is blocked.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e implemente mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-64240 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Freshchat WordPress plugin versions 0.0.0–2.3.4, allowing attackers to perform unauthorized actions.
You are affected if you are using Freshchat WordPress plugin versions 0.0.0 through 2.3.4. Upgrade to 2.3.5 or later to mitigate the risk.
Upgrade the Freshchat WordPress plugin to version 2.3.5 or later. Implement WAF rules and user input validation as temporary mitigations.
No active exploitation has been confirmed as of this writing, but it's crucial to apply the patch promptly.
Refer to the Freshchat official website and WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.