CVE-2025-47667

Vulnerability

Overview

The LiveAgent plugin for WordPress, versions 4.4.7 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from insufficient validation of request origins, enabling an attacker to trick a logged-in administrator or other privileged user into performing unintended actions [1].

Exploitation

Details

Exploitation requires user interaction: the victim must click a malicious link, visit a crafted page, or submit a form while authenticated. The attacker does not need direct access to the site but can leverage social engineering to deliver the payload. The vulnerability is noted to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to force the victim to execute actions under their current session, such as changing settings, creating new admin accounts, or modifying content. The CVSS v3 score is 5.4 (Medium), reflecting the need for user interaction and the potential for privilege escalation [1].

Mitigation

The vendor has released version 4.4.8 which resolves the CSRF issue. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for the plugin [1].